Popular Tags

  • CEF event with syslog header gets device addres/hostname parsed wrong if CEF has dvc=entry

    Hello, we have CheckPoint firewalls sending events over syslog in CEF format. Problem is, that events has also the SYSLOG header containing deviceAddress. For ChceckPoints Identity Awareness events gets generated like this: Jan 13 14:25:36 xx.xx.xx…

  • How to integrate OpenVAS vulnerability scanner and ArcSight?

    Hi geeks, In a SOC, the OpenVas tool is used as a vulnerability monitoring system. While their SIEM is ArcSight. Today I have to configure OpenVAS send the scan results to the SIEM. But there seems to be no official Smart Connector for Greenbone OpenVAS…

  • Akamai WAF integration with Arcsight

    I'm kind of a newbie with Arcsight so please be gentle... Looking for a connector or solution to pull events or CEF logs from an Akamai WAF API and send them to my ESM/Logger? Not seeing a solid solution out there. Akamai offers a CEF connector that's…

  • CEF parser Override for PaloAlto System messages

    Hello, I am facing an issue to create a parser subagent for CEF syslog messages. 1- I created a subagent file and placed it under ..\current\user\agent\flexagent\syslog 2- I named the file PaloAlto_syslog.subagent.sdkrfilereader.properties 3- I modified…

  • windows logs application CEF Format

    Hi I need help in parsing windows event application log that includes CEF format logs, below a sample of windows application logs : {"System":{"EventId":"2","Version":"","Channel":"Application","ProviderName":"SWIFTNet Link","Computer":test-1","EventRecordID…

  • What is the official standard for architect and topologies of ArcSight SIEM Implementation?

    Hi Everybody, I have an important question that I could not find an official reference to answer. Who can provide an official document or references on ArcSight SIEM (ESM, Logger, Smart Connector) standards and recommendations for deployment and proposed…

  • How to keep device-id field value after adding a raw syslog destination in a Syslog Connector?

    Hi I have a Syslog Daemon Smart Connector receiving Syslog events from Fortigate. I want to forward all events to Splunk Enterprise as "Raw Syslog". But my purpose is keeping the "device-id" field value in Syslog Format like originally received events…

  • RE: ArcSight UBA - Log Ingestion (Bluecoat)

    Hello again, Finally I have obtained some results regarding CEF, bluecoat parsing on HPE UBA 5.0 after various tests performed: 1. UEBA with its native CEF parser (arcsight.properties) can parse and trigger Policy Violations for CEF-formated BlueCoat…

  • RE: ArcSight UBA 5.0 - Add Data in CEF format

    Hello, Does anyone know if it is needed to build my own regular expression for parsing CEF events except the use of the following files existed in UEBA? - Arcsight (CEF).properties - arcsight.properties Best regards, Grigoris

  • ArcSight UBA 5.0 - Add Data in CEF format

    Hello everyone, I have installed ArcSight UBA 5.0 and now I'm trying to achieve the UBA to process log files in CEF format. These log files contain CEF formatted logs which are the correlations exported from ArcSight ESM. Now, I am getting troubled with…

  • RE: ArcSight UBA - Log Ingestion (Bluecoat)

    Hello, Has also anyone achieved to ingest CEF formated log files to UBA 5.0? I have some files that contains logs in CEF format (correlations from ArcSight ESM) and I am trying to ingest (using "file import" datasource) to UBA. However I am a bit confused…

  • Which of the types of connectors can normalize the Cisco Series ASR9000 logs?

    Hi everyone, I have a Cisco Router ASR9000. From the routers, I send all needed logs to the connector as syslog with local7-debugging severity level. however I can see all logs and captured traffic by tcpdump without any problem. But no logs are normalized…

  • How can I enable IPv6 support in ArcSight ESM?

    Hi I am receiving all normalized logs as 1.0 CEF version from All Syslog Saemon Smart Connectors in Logger. Then all events forwarded from Logger to ESM destination. Also in the Logger, I can search all logs and indexed fields without any problem. But…

  • Some fields of FortiGate logs doesn't parse correctly. Do I need to write Flex Connector?

    Hi everyone As you know for fortunate firewall devices log parsing, we must install Syslog daemon smart connector without any extra recommendations. But when I do this job, I found some fields after normalization and converting to CEF format does not…

  • Centrify Suite 2017 - Flex

    Hi All, I am sharing my Flex for Centrify. I also opened a ticket with ArcSight a year ago to have this added to the list of CEF Connectors, and still no updates Ticket: SD02349662 - Feature Request: CON-21924 So posting it here for the benefit of everyone…
    • Centrify.zip

  • Logger archive extraction?

    Hi All, Does anyone know or have any tool that I can reliably use to extract events from Logger archives? I need to extract data from years of old archives I have to put into a different tool for forensics analysis but there is not out of the box supported…

  • delayed in indexing forwarded event from Logger to ESM !

    Hi All I am forwarding all events from Logger Appliance L7400 V 5.2 to ArcSight ESM 7.0 SP1. but i have any problems in this task: 1- All forwarded events from logger to ESM indexed in ESM about 2 or 3 hours delaying time. means when i search a sample…

  • CEF ASM Mapping in another field

    Dear community, For CEF F5 ASM logs, I am trying to extract the values of parameters in the HTTP header stored in deviceCustomString3 field to the flexString1 field : Host: (blabla.com) and True-Client-IP: (blabla.com) So I read about a function available…

  • RE: Is there configuration guide for PaloAlto PAN-OS 8.x CEF?

    Hi, find them all here: https://www.paloaltonetworks.com/documentation/misc/cef.html Salvatore

  • RE: problem installing SmartConnector for ArcSight CEF Cisco FireSIGHT Syslog.

    Hello, Please make sure you have the following packages installed on the machine where you are planning to install the connector. For Linux sudo yum install python sudo yum install python-pip python-devel openssl-devel gcc sudo pip install pyOpenSSL For…

  • Problem in calculating sum of bytesIn on netflow with ArcSight Logger !

    Hi All I sent the flow traffic to NetFlow SmartConnector and when i used below query in ArcSight Logger , I saw contradictions. but How ? deviceVendor="IP Flow" and destinationAddress=x.x.x.x | chart sum(bytesIn) AS "InBytes" by destinationAddress also…

  • CEF Folder Follower Scanner

    Has anyone tried to setup/use the new CEF Folder Follower Scanner with any enterprise vuln scanning software? Just curious as to how well it works and if anyone has any experience with the scanning software side from an automation perspective. Page 5…

  • CEF Unix Epoch Parsing ESM

    Hi All I have run into a strange date time handling in the CEF format that I am working on. I have come across this Audisp ​ CEF Plugin, and I have started to change it to the our needs, and we now get events into our ESM using a Smart Connector that…

  • end / endTime Field Missing From Forwarding Connector

    I've noticed that when using the Forwarding Connector from ESM to CEF Syslog, the output is definitely CEF, but is missing the field: end= How can I get the endTime in the output of the Forwarding Connector? Cheers, Ash

  • CSV as Destination has Corrupt Entries

    We are using the UDP CEF Encrypted Syslog connector to collect and aggregate events from multiple connectors and then output the data to a CSV file (destination is CSV on the local box) which enables us to import ArcSight events into our Elasticsearch…

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.