Cybersecurity
DevOps Cloud
IT Operations Cloud
Summary
Mapping additional data value to ArcSight field in Logger
Products
ArcSight Logger
Environment
Logger - All versions
Connector - All versions
Situation
The process of mapping additional data value is not easy with Logger alone, but with ESM it is rather simple and straightforward.
Resolution
This is a quick example of custom mapping additional data in Logger.
a) agent ID: Need to know the agentID. The easiest way is to look in user/agent/agent.properties.
Example:
agents[0].destination[1].agentid=3qN7D14gBABCABeuJX3s4bQ\=\=
b) Device Vendor and Product: In this example, OpenText and Logger
c) The additional data fields that you want to map to ArcSight event fields. See the raw message in Logger to determine the names of the additional data fields.
1. To put this all together, you need to first create the file ngmappings.adatamappings.properties in the following directory.
current/user/agent/aup/<agent id>/fcp/custommappings/<Device Vendor>/<Device Product>
Notice that you need to replace the agent ID variable with that of the agent ID found in above a).
Possible you have to create several of these directories.
Example:
current/user/agent/aup/3qN7D14gBABCABeuJX3s4bQ==/fcp/custommappings/OpenText/Logger
2. Now you have to populate the file ngmappings.adatamappings.properties.
In this example, two fields ad.deviceowner and ad.devicehostname are to flexString1 and flexString2.
The ngmappings.adatamappings.properties file will look like this:
#ArcSight Properties File event.flexString1=deviceowner event.flexString2=devicehostname
3. Restart the Connector and look for values to be populated.
The following is the test result.
Raw Event which was sent to Logget which has "ad.deviceowner=Device Owner ad.devicehostname=Device Host Name":
CEF:0|OpenText|Logger|||Test Alert Event|Unknown| eventId=6 msg=Additional Data Test start=1687328307386 end=1687328307386 ad.deviceowner=Device Owner ad.devicehostname=Device Host Name
Logger search results:
First event (without ngmappings.adatamappings.properties) and second event (with ngmappings.adatamappings.properties)
You can see additional data ad.deviceowner and ad.devicehostname of the first event are mapped to flexString1 and flexString2 ArcSight fields of second event respectively.
Raw messages in Logger:
First event (without ngmappings.adatamappings.properties):
RAW CEF:0|OpenText|Logger|||Test Alert Event|Unknown| eventId=6 msg=Additional Data Test start=1687328307386 end=1687328307386 art=1687404214697 deviceSeverity=Unknown rt=1687404214697 ahost=172.17.74.4 agt=172.17.74.4 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 amac=00-15-5D-00-04-02 av=8.0.0.8322.0 atz=Asia/Tokyo at=syslog dvchost=jpsuzukiats03.mshome.net dvc=172.31.208.1 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 dtz=Asia/Tokyo geid=22707622307014912 _cefVer=0.1 ad.deviceowner=Device Owner ad.devicehostname=Device Host Name aid=3qN7D14gBABCABeuJX3s4bQ\=\=
Second event (with ngmappings.adatamappings.properties):
RAW CEF:0|OpenText|Logger|||Test Alert Event|Unknown| eventId=6 msg=Additional Data Test start=1687328307386 end=1687328307386 art=1687405656798 deviceSeverity=Unknown rt=1687405656794 flexString1=Device Owner flexString2=Device Host Name ahost=172.17.74.4 agt=172.17.74.4 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 amac=00-15-5D-00-04-02 av=8.0.0.8322.0 atz=Asia/Tokyo at=syslog dvchost=jpsuzukiats03.mshome.net dvc=172.31.208.1 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 dtz=Asia/Tokyo geid=22707622676192768 _cefVer=0.1 aid=3qN7D14gBABCABeuJX3s4bQ\=\=
22-Jun-2023•Knowledge
URL Name
KM000018850