Highlighted
Trusted Contributor.
Trusted Contributor.
482 views

problems parsing with smartconnector

Jump to solution

Hello all!

 

So my problem is, i am trying to build a smartconnector that gets the data (NSS VLOG logs) from syslog then sends the events to both arcsight and sentinel. So the smartconnector uses CEF fields, and im unable to parse namely the "initiatorUserDomain" into sentinel, since there is no such field i could assign the information to in the smartconnector parser. I put the appropriate information into "deviceCustomString5" in the smartconnector, and checked in sentinel control center how it processes the event, and i found it gets that value in the "cs5" field. i have exported the configuration of the connector, did a good look in the map files, but i cant seem to find a way to map customstring5 value to the initiatorUserDomain field. (tried as cef.extensions.cs5 in rec2evt.map, and also some other variations without success). Im not much of an expert in JS so i didnt touch those script files ;\.

Any kind of help is more than welcomed

best regards, Thomas

 

0 Likes
1 Solution

Accepted Solutions
Highlighted
Respected Contributor.
Respected Contributor.

Check this post to see if it helps.

https://community.microfocus.com/t5/Sentinel-Tips-Information/Sentinel-customFieldMaps-ArcSight-Parsing-Universal-Common-Event/ta-p/2687531

 

I created specific vendor customFieldMaps files that matched the ProductName in Sentinel.

 

Could try:

~~Sentinel Event Field~~,~~Input Record Field~~
InitiatorUserDomain,cef.extensions.cs5

 

Or this which should work:

~~Sentinel Event Field~~,~~Input Record Field~~
CEFCustomString5,cef.extensions.cs5

View solution in original post

2 Replies
Highlighted
Respected Contributor.
Respected Contributor.

Check this post to see if it helps.

https://community.microfocus.com/t5/Sentinel-Tips-Information/Sentinel-customFieldMaps-ArcSight-Parsing-Universal-Common-Event/ta-p/2687531

 

I created specific vendor customFieldMaps files that matched the ProductName in Sentinel.

 

Could try:

~~Sentinel Event Field~~,~~Input Record Field~~
InitiatorUserDomain,cef.extensions.cs5

 

Or this which should work:

~~Sentinel Event Field~~,~~Input Record Field~~
CEFCustomString5,cef.extensions.cs5

View solution in original post

Highlighted
Trusted Contributor.
Trusted Contributor.

Thanks for You helping me solve the problem. Tbh i was about to simply accept the fact that i will have to insert both Tree and Org ino src/dst username field.

All i had to do was create a map file in the main directory with (following the post u gave me)
~~Sentinel Event Field~~,~~Input Record Field~~
CEFCustomString4,cef.extensions.cs4
CEFCustomString5,cef.extensions.cs5

and after this i could actually map those custom fields for sentinel event fields in Rec2Evt.map.

This issue gave me a headache  and i really appreciate that You answered and helped me solve this.

Best regards, Thomas

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.