Popular Tags

  • CEF event with syslog header gets device addres/hostname parsed wrong if CEF has dvc=entry

    Hello, we have CheckPoint firewalls sending events over syslog in CEF format. Problem is, that events has also the SYSLOG header containing deviceAddress. For ChceckPoints Identity Awareness events gets generated like this: Jan 13 14:25:36 xx.xx.xx…

  • Parsing Logs Palo Alto

    Hi, This situation looks like old, but we've recently added Palo Alto logs to the ESM and all requestUrl fields have "" - quotes I used the solution that was on this forum but something must be missing: https://community.microfocus.com/cyberres/arcsight…

  • Map Fields to Schema

    Hi Guys, I want to map 2 field to which is not mapped to any field on the ESM Schema , so I want map them to (attacherUserName and FlexString1) I make this in file named cef_syslogSecurity.sdkkeyvaluefilereader.properties conditionalmap.count…

  • Parsing Override

    Hi Guys, I want to make overriding to my syslog connector, as i have field like this : fnameAndHash Message attachments in the format: <filename>|<filehash>|<triggered/clean/ malicious> As Example: fnameAndHash=attachName|AttachHash…

  • SmartConnector Support F5 HSL (High Speed Logging)

    I would like SmartConnector support to parse and collect F5 HSL (High Speed Logging). Our customer need to collect this traffic log to monitor connection and performance usage on F5 device. When SmartConnector, syslog daemon, receive this log and parse…

  • RE: WINC Parsing Scheduled Task Content

    I figured this out using the __multilineRegexToken operation, but then quickly realized that this only parses the first command. Although uncommon, a single scheduled task can have many commands. Below is my parser and a raw event sample with multiple…

  • CEF ASM Mapping in another field

    Dear community, For CEF F5 ASM logs, I am trying to extract the values of parameters in the HTTP header stored in deviceCustomString3 field to the flexString1 field : Host: (blabla.com) and True-Client-IP: (blabla.com) So I read about a function available…

  • Hi Techies, I'm looking for connector and process for integrating MDM - Mobile iron to Arcsight?

    Hi All, Query1) I want to integrate MDM_Mobilr Iron 3.0, any supported document avaliable, coz I dint find so. I require to know the process and changes/settings needs to be done at Mobile Iron to get the parsed logs to Arcsight. Also what connector we…

  • Parsing for mixed single and multi line logs Callenge Help

    Hi Team, I’m trying to build a parser for a connector that gets single-line and multiline logs mixed and I would like to have some help. Single line format has several formats depending on the beginning of the log and depending these beginnings the log…

  • Devloping regex for Verint logs

    Hi All, I m trying to build the regex for verient logs PFB sample logs: 06/06/17 13:04:24.926 (-05);Fair, Lindsey(702002828);Loaded a blank form;Form Fillout;Application:Quality Monitoring 06/06/17 13:04:26.286 (-05);Super User(8001);Loaded a blank form;Form…
    • regex challange in group 7and 8.JPG
    • View

  • Reparsing Data in ArcSight Fields

    I wrote this document a couple of years ago when I found myself needing a quick fix to correct some parsing issues. This document describes the additionalregexparsing feature to reparse syslog data, along with a few examples. [pdf-att]/home/lithium/migration…
    • Reparsing Data in ArcSight Fields.pdf
    • View

  • Maintaining Your ArcSight Event Sources in an Ever-Changing Environment

    No IT infrastructure is static for long, if at all. Changes are consistently begin planned, implemented and reviewed. It seems the larger your environment, the more often it changes. It is never any fun walking into work on a Monday morning or worse,…

  • Logs with no DeviceVendor and DeviceProduct name

    We are receiving some logs with no DeviceVendor and DeviceProduct name. Due to this we are getting "Unknown" in "Top Event Sources" dashboard. This is happening mostly for Windows security Audit log : "Microsoft-Windows-Security-Auditing:5158 & 5156"…

  • Log File parsing with flex

    Dear All After i create "<file_name>.sdkrfilereader.propertie" , where path i must put this file for parsing local log file? In this case i run "<arcsight_home>/bin/arcsight agents" command and i can view cef categorized log in logger and any destination…

  • Microsoft DNS Trace Log Parser Errors

    I am seeing a large amount of parsing errors with the Microsoft DNS Trace Log connector. I've followed the connector guide to setup the logging options on the DNS server but I still see a large amount of errors in the connector's agent.log file. This…

  • NT Syslog not parsing windows event

    Hi All, Need a help for parsing windows event!!! As per the company policy all the logs should get store in Centralize server so we have created Syslog server (10.0.0.1) and enabled forwarding to syslog server including Windows servers. We have installed…

  • HI, I am having trouble with syslog flexagent parser and i do not understand whats wrong in it events are not acting to that parser. please suggest any changes and subagent file is in flexagent/syslog.

    <188>20915: Apr 13 08:52:31.137 MDT: %PLATFORM_STACKPOWER-4-UNBALANCED_PS: Switch 3's power stack has unbalanced power supplies <187>735: *Apr 18 15:11:39.590 CST: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to up <189>736: *Apr 18 15:11…

  • Is there a way to map the file name of the log file you are parsing into an ArcSight field?

    I would like to put the name of the file I am reading with the parser into the fileName field. Is this possible?

  • Apache http logformat not parsing

    I recently figured out why a native apache http syslog parser will not parse events and I wanted to share this with the community because it is not well documented. After struggling to find out why Apache logs will not parse I found the attached ApacheHTTPAccessConfig…

  • Juniper Pulse Secure VPN log integration

    Does anyone has experience with Juniper Pulse Secure VPN device log collection? Appreciate if you can share your experience on it. We forwarded syslogs from Juniper Pulse device (v8.1) to ESM 5.5 via syslog-daemon smartconnector (7.1.6), and it's not…

  • TimeStamp is not woking with one xml flex but with the other?

    I am facing the problem that I have two xml flex connectors from which one is able to parse the TimeStamp of an expression correctly. The other one has problems to parse it correctly, though. The one which is working looks the following: Event: <?xml…

  • How can I parse a dMMMyyyy date format a HH:mm:ss time format into a timestamp (in a fixed-format log file of a flexconnector)?

    Hello, I am having some troubles when programming a flexconnector: The log file has a date with dMMMyyyy format (for example 1Ago2015), and a time with HH:mm:ss. So I am trying to have a timestamp like "1ago2015 21:02:36". I have tried many ways and anyone…

  • CISCO ASA NAT Issue

    Hello guys, I'm facing an odd issue (it's odd because it seems that others aren't facing it - information from ArcSight support) with CISCO ASA/PIX equipments. When we receive logs with real addresses and Nated Addresses, they are exchanged in the log…

  • Parsing SNMP Trap Log

    Guys, I need a little help getting the following logs parsed into ArcSight. Here is the Raw Log: Rogue AP: 64:a0:e7:da:86:60 detected on Base Radio MAC: 84:80:2d:c3:16:20 Interface no: 0(802.11n(2.4 GHz)) Channel: 8 RSSI: -83 SNR: 11 Classification: unclassified…

  • Bro IDS parsing from Security Onion

    Hello, I have a SecurityOnion setup in my network and it primarily runs on Bro IDS. ArcSight has a specific connector for Bro IDS but it is a local one and Security Onion uses Ubuntu 12.04 where I'm not able to install the connector because of java errors…

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.