Mapping Commands for Additional Data Fields

Mapping Category

Get Additional Data Names

Returns a list of additional data names seen for each device vendor/product combination since the connector started running. For example:

Additional Data Names Seen:  

Generic (no vendor/product):

test1 [3 times]

test11

test13 [2 times]

Vendor/product [vend/prod]:

test1

test10 [6 times]

By default, the command limits the list to show only the most recent 100 device vendor/product combinations and the most recent 100 names for each.

Tip: You can change this limit by editing the SmartConnector property agent.additionaldata.mapper.track.max.names in the file $ARCSIGHT_HOME/ArcSightSmartAgents/current/user/agent/agent.properties on the machine where the connector is installed. In most cases we recommend keeping the defaults. If you change a property setting such as this, restart the connector.

If a data name is not a string, its data type is displayed in the list. If the connector saw an additional data name more than once, the command output indicates the number of times the name was seen.

Map Additional Data Name

Brings up a dialog where you can map an additional data name for the selected connector. If you are using additional data, add the turbo.enabled=false property to the Manager’s server.properties file. If you are unfamiliar with properties file setting, refer to the ESM Administrator's Guide, topic on "Managing and Changing Properties File Settings."

For a generic mapping, you can leave the Device vendor and Device product fields blank. For a specific mapping, fill in these fields with the appropriate vendor and product names.

Typically, the Additional data name is one of the names shown in the Get Additional Data Names output (but can be another name not on that list).

The ArcSight field must be a valid ArcSight event field.

Click OK to create the mapping.

Here is an example of the command output for a successful generic mapping:

Successfully mapped additional data name [test11] to event field [message] for vendor/product []

A successful device vendor/product-specific mapping returns output similar to this:

Successfully mapped additional data name [test10] to event field [message] for vendor/product [vend/prod]

If the additional data name has not been seen, the name is still mapped, but with a warning like this:

Successfully mapped additional data name [foo] to event field [deviceCustomString1] for vendor/product [vend/prod] (note that additional data name [foo] has not been seen for vendor/product [vend/prod])

If the ArcSight field is not valid, the error returned is similar to this:

Failed to map additional data name [bar] to event field [messages] for vendor/product [vend/prod] (event field [messages] is unknown)

Unmap Additional Data Name

Brings up a dialog where you can unmap an additional data name for the selected connector.

To remove a generic mapping, you can leave the Device vendor and Device product fields blank. To remove a specific mapping, fill in these fields with the appropriate vendor and product names. The additional data name should be one that was previously mapped for the specified device vendor and product combination.

Click OK to unmap the data name.

Here is an example of the command output for a successful generic unmapping:

Successfully unmapped additional data name [test11] for vendor/product []

A successful device vendor/product-specific unmapping returns output similar to this:

Successfully unmapped additional data name [foo] for vendor/product [vend/prod]

If the specified additional data name was not previously mapped, the output looks like this:

Failed to unmap additional data name [foo] for vendor/product [vend/prod] (not previously mapped)

Notes:

• One additional data name can be mapped to more than one ArcSight field for the same device vendor/product combination, and in this case unmapping it unmaps it from all ArcSight fields for that device vendor/product. This is an unlikely scenario, however.

• The converse case, where multiple additional data names are mapped to the same ArcSight field for the same device vendor/product combination, results in the last mapping taking precedence over any previous mappings to that ArcSight field for that device vendor/product. No warning is generated in this case.

Reload custom categorizations

There are several ways to set event category information for events. The least common of these is to store custom categorization files (organized by vendor and product) on the connector machine in the user/agent/aup/acp/categorizer/current directory (or the user/agent/acp/categorizer/current directory).

If such categorization files exist and have been changed, this command reloads them without restarting the connector.

Reload custom map files

Rescans and reloads map files in the user/agent/map directory on the machine where the connector is installed.

The map files are named in the form map.n.properties, where n is a number starting with 0. Use this command to immediately apply the latest changes. Not all connector setups include custom map files.

Caution: Map files are created on some connector machines to fulfill specific needs. If you are not familiar with the categorizer/mapping setup of an environment, we recommend that you do not use these commands.

Reload external map files

Re-scans and reloads external map files in the user/agent/extmap directory on the machine where the connector is installed.

The map files are named in the form extmap.n.properties, where n is a number starting with 0. Use this command to immediately apply the latest changes. Not all connector setups include custom external map files.

Caution: External map files are created on some connector machines to fulfill specific needs. If you are not familiar with them, we recommend that you do not use Reload commands.