• rsyslog and regex file flex connector

    Hi rsyslog logs events from the VPN server to an input file. This file is processed by the arcsight regex file flex connector. The problem is that the events do not come to ArcSight, but if you create a separate file, add the events there manually,…
  • Denial of service event filtering triggered

    Hi I have several events that I process as one common event using a flex connector: Jul 22 08:10:28 02-IBZ-KPXGTW-08 desktop-users-srv[2640834]: 100.000.0.0:33333 c0ad05273533495f VERIFY OK: depth=0, SN=First Name Last Name, GN= First Name Last Name…
  • Parsing multiple events as one

    Hello A file has a certain set of fields, as in the example below. These events are combined into small groups of 3-4 events (they are united by a common theme), and there is a gap between these groups for visibility. As far as I know, the connector…
  • The Flex connector ignores events because they contain Cyrillic

    Hi Does anyone know how to work around the problem where the flex connector does not collect events in ArcSight because they contain Cyrillic text. P. S. Tested on working connectors, so I am 100% sure that this is the problem. Thanks in advance…
  • Time format

    Hi I receive data through the API and by default it comes in JSON format with collections. The data time has the following form - 2024-07-02T22:13:39.714000 Next, I convert this data into CEF format and use the Flex Connector Regex File to send the…
  • JSON parser

    HI Your help is needed. I came across this JSON event format: { "results": [ { "id": "667e8d33156b6c38232c9043", "name": "SQL Injection attack (S3)", "description": "SQL Injection attack hitting the server at HTTPS. Same IP should not appear more…
  • Loss of part of the events

    Hi Here's the situation: I didn't pay attention to see if this happens on all connector types, but now I'm setting up a Flex Connector Regex File and everything is working fine, however I noticed if I manually send into the file one event, they don…
  • Regex File Flex Connector for JSON events Again

    Hi all I want to return to this question again. I managed to configure the Flex Connector Regex File so that it doesn't return regex mismatch errors, but events still don't go to the active channel. Please take a look at my configuration file and…
  • How ArcSight FlexConnector JSON Multiple Folder Follower works

    Hello. Please explain to me how the JSON Multiple Folder Follower Connector works I am interested in real-time file monitoring. For now, I'm training on an artificially generated file and artificially generated JSON events. When I start the connector…
  • Regex File Flex Connector for JSON events

    Hello, I have a problem. I'm using the Regex File Flex Connector to process JSON events. The configuration file is written correctly, the regular expression has been tested in the relevant services. And at the output, in the agent.log file for my connector…
  • Priority of Flex Connector events

    Hi I am using Flex Regex File Connector. My example events: CEF:0|Vendor2|Product2|2.0|5678|Event2|8|dvc=10.0.0.1 spt=5678 dpt=443 request= https://another-example.com CEF:0|Vendor3|Product3|3.0|9999|Event3|12|dvc=172.16.0.1 spt=9999 dpt=22 request…
  • How to find smart connector name in which file of smart connnector

    Hi , There is many type of connector installed. I didn't find out connector name. Please provide file name or file path of smart connector. However we find out smart connector name.
  • REST connector

    Hello, I need to get data from VProtect - backup software - through API it offers. I was trying to get JSON out of it with a success, but it requires a timeframe instead of just start time in API request. Format which works looks like this: …
  • ArcSight FlexConnector cannot parsing syslog

    Hi everyone I have a issue about FlexConnector. In my environment, there is a SC to collects syslog (including Fortigate, CentOS, CISCO switch, and the source device "Array" where this problem occurred). At the beginning, I created a regex parser…
  • flex connector file reader how can i get today

    I have log file format like this need to flex parser 02:10:25 Checkpoint Completed: duration was 0 seconds. 02:10:25 Maximum server connections 19 02:10:25 Checkpoint Statistics - Avg. Txn Block Time 0.000, # Txns blocked 0, Plog used 41, Llog used…
  • Flex connector for RHEL 7.6 troubleshoot

    Hi, I have developed a Syslog Flex connector for RHEL 7.6 listen to 9514udp, i did a Regex correctly and mapping all the tokens. after finishing the Flex connector i did not receive any event to my logger while we setup correct destination port and receiver…
  • No database configuration files (*.sdktbdatabase.properties) found in folder

    Hello guys , i am creating a time based databased flex connector and made the parser and after installing the flex connector i got the following erro and unable to bring up the connector "No database configuration files (*.sdktbdatabase.properties) found…
  • Sigma rules guide: threat hunting for ESM, ArcSight Command Center and Logger

    Hello dear community, As you know ArcSight ESM is only as smart as the content that we build there. After sharing hundreds of rules through last 2 years in response to WannaCry, NotPetya, Bad Rabbit etc. we quickly came to realization that there is a…
  • Flex Connector Hangs - When Regex is not Matching

    Hi All, I am observing an abnormal behavior in Flex Connector, Whenever my sub message pattern is not matching, Connector framework hangs and not processing any other files as well. Using Multifolder Flex Connector Multiline Regex Batch Mode It showed…
  • RSA SNMP Unified Connector

    Sorry for the noob question as i am still new to ArcSight but i am having difficulty with the RSA SNMP Unified Connector parser for my client. I installed the connector on my clients jump box and after that was done I see the OID's coming through in the…
  • Extraprocessors

    Hi All, I have developed a sample parser with one extraprocessor and placed both files on Flexagent/Syslog folder. But connctor not taking the extraprocessor parser.Where we wnat to palce the Files for Extraprocessing.? Regards Arjun
  • Azure Log Integration for ArcSight - Multiple JSON parsers?

    Hello, While following the documentation for Azure log integration with SIEM ( link ), i've created a JSON connector and added the AzureRM json parser. This works great, but RM only parses the Resource Manager itself. I've wanted to make sure that, next…
  • Devloping regex for Verint logs

    Hi All, I m trying to build the regex for verient logs PFB sample logs: 06/06/17 13:04:24.926 (-05);Fair, Lindsey(702002828);Loaded a blank form;Form Fillout;Application:Quality Monitoring 06/06/17 13:04:26.286 (-05);Super User(8001);Loaded a blank form;Form…
  • Reparsing Data in ArcSight Fields

    I wrote this document a couple of years ago when I found myself needing a quick fix to correct some parsing issues. This document describes the additionalregexparsing feature to reparse syslog data, along with a few examples. [pdf-att]/home/lithium/migration…
  • If you handled PostgreSQL Log with Arcsight, please tell me

    Hello All, Does anyone have taken PostgreSQL Logs with Arcsight? I do not see a case with Protect 724 whether there are few people using PostgreSQL. I'd like to refer to it as a reference, so if you have something to take in, whatever ArcsightSmartConnector…