AnsweredAssumed Answered

Integration with ArcSight Connector

Question asked by Daria Muravyova on Nov 10, 2016
Latest reply on Nov 11, 2016 by Daria Muravyova

Like • Show 0 Likes0
Comment • 4

Hello!

I'm helping customer now to migrate from rsa enVision to RSA SA. He wants to do minimum work during this prosess and to save all previos configuration. On RSA enVision we are getting logs from ArcSight Connector through syslog in CEF format and all works good. But for RSA SA this is "Unidentified content". How can we managed it?

ArcSight Smart Connector can't send logs in proper (for RSA SA) format.

Also we are trying to send these logs to Virtual Remote Collector, if it matters.

No one else has this question

Outcomes

4 Replies

Eric Partington Nov 10, 2016 11:17 AM
Mark Correct
Correct Answer
What version of NetWitness are you using ?
Is the Common Event Format (CEF) parser enabled and installed on the log decoders ?
can you provide a sample format of the logs that are being sent from the arcsight connector ?
Like • Show 0 Likes0
Actions
- Daria Muravyova @ Eric Partington on Nov 11, 2016 5:34 AM
  Mark Correct
  Correct Answer
  Hello, Eric!
  I have 10.6 RSA SA. CEF enabled and installed, but I have error on the stage of getting syslog, like in this case:
  000016890 - CyberArk Syslog messages display as 'unidentified content' in RSA Security Analytics
  I have standart format of CEF, like:
  CEF:0|Mirosoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:4768|A Kerberos authentication ticket (TGT) was requested |Low| eventId=17271719 externalId=4768 msg=Certificate information is only provided if a certificate was used for pre-authentication types, ticket options, encription types and result codes are defined in RFC 4120 categorySignificance=/Informational/Warning categoryBehavior=/Authentication/Verify categoryDeviceGroup=/Operating System and so on.
  I understand that hte problem is that there is not RFC format. But enVision works with it correctly, maybe there is the way to make RSA SA to work with it as well.
  Like • Show 0 Likes0
  Actions
  - Eric Partington @ Daria Muravyova on Nov 11, 2016 8:07 AM
    Mark Correct
    Correct Answer
    Have you implemented the two files at the bottom of that post to set eh proper RFC ?
    
    The CEF parser in SA requires a specific format of header and hostname for the messages to parse. It looks like the additional two files will be able to set those parameters on the collector so that the messages are properly formatted for RSA NW/SA.
    
    If that doesn’t work, please open a support case and RSA support will assist you with this.
    
    Eric
    Like • Show 0 Likes0
    Actions
    - Daria Muravyova @ Eric Partington on Nov 11, 2016 11:21 AM
      Mark Correct
      Correct Answer
      Eric, as I can see, author of this post suggest to change CyberArc config, not RSA Collector. And I have no such variables on my ArcSight Collector. I will open a support case.
      Like • Show 0 Likes0
      Actions

Integration with ArcSight Connector

Outcomes

Related Content

Recommended Content