Open topic with navigation

Using Additional Data Fields

Some devices include event data with data fields that are not included in the standard event data schema. You can configure your SmartConnector to send these fields as additional data and map them to ESM schema fields. The mapping can vary based on the device vendor and product and can be controlled from the ArcSight Console, with the mappings stored on the SmartConnector machine.

Prerequisite:

Add the turbo.enabled=false property to the Manager’s server.properties file. If you are unfamiliar with properties file setting, refer to the ESM Administrator's Guide, topic on "Managing and Changing Properties File Settings."

To map additional data fields:

Where: Navigator > Resources > Connectors

  1. Expand a connector group and locate the SmartConnector you want to configure for additional data field mapping. Make sure this connector is in the running state.

  2. Right-click the connector and select Send Command > Mapping > Get Additional Data Names.

     

  3. See Get Additional Data Names sample output. Take note of the field names of interest. You will enter these fields for mapping later in this procedure.

  4. Right-click the connector again and select Send Command > Mapping > Map Additional Data Name. The following is displayed:

  5. Enter values, for example:

    Field Example value
    Device vendor For example, Cisco
    Device product For example, Cisco Secure ACS
    Additional data name Field name from the connector to be mapped. Taken from the generated name list from the previous step
    ArcSight field ArcSight field to store the additional data

    See also Map Additional Data Name for additional instructions on entering values in the mapping dialog, additional instructions for changing the server.properties file, and sample messages.

  6. To verify the mapping, right-click the connector again and select Send Command > Status > Get Status. Check the NGCustomAdditionalDataMapper<n> variables in the output. For example:

    NGCustomAdditionalDataMapper0................Generic mappings:test11=>message NGCustomAdditionalDataMapper1................Mappings for vend/prod:test10=>message, foo=>deviceCustomString1

    Note: Only mappings for loaded device vendor/product combinations are included. This includes mappings for vendor/product combinations that have had mapping or unmapping commands executed (even unsuccessful ones), and vendor/product combinations for which additional data-laden events have been seen. Unloaded mappings on disk are not included.

Create a map file on the SmartConnector host:

Connector map files are used to map a field value to another field, and more. For proper map file construction, follow the information in the FlexConnector Developer’s Guide, which is available from the Micro Focus Community. Refer to the topic, "Map Files."

Map files follow the filename format, map.X.properties, where X is the next sequential number following any other existing map file in that directory.

Store the map file in the SmartConnector host in this directory:

$ARCSIGHT_HOME/user/agent/map/map.X.properties

Updatingthis file does not require any connector restarts.

To display additional data fields in the active channel:

  1. Create an active channel and specify the event fields to be displayed. See Creating or Editing an Active Channel for instructions.

  2. Right-click on the column header and select Columns > Add/Remove Column > Additional Data.

  3. Select the additional data field columns to be added to the active channel.

    Once the additional data fields are available on the channel, you can select the event (the row) and look at the Event Inspector panel for event details. Scroll all the way down the event details and look for the Additional Data category.

    Note: Limitations

    • Additional data fields cannot be part of a field set.

    • Additional data fields cannot be viewed on the ArcSight Command Center.