Event Categorization
Events from unsupported or custom devices can generate events that the provided connectors do not know how to categorize. For example, if your organization has developed and deployed ArcSight FlexConnectors to collect and process events specific to customized network nodes, these custom events are not categorized per the usual method.
From the ArcSight Console, you can manually apply categorization to one or more custom events from a FlexConnector (or other custom or unsupported device). Once you apply categorization to events from a particular device (and its associated connector), the categorization is automatically applied to other events of the same type.
To apply event categorization to one or more events:
-
Select one or more of the same type of events that you want to categorize.
-
Select one or more events and choose the Categorize Event command from the System menu (or click the toolbar button).
-
Select values from the given categories from the drop-down menus.
-
Click OK to apply the categorization information to events of this type.
This generates a SmartConnector update file (.csv
) containing the new categorization files on the Manager. The Manager polls for new SmartConnector update files every 5 minutes, and updates the SmartConnectors when it finds new .csv
files. So, within 5 to 20 minutes after you apply event categorization, new events of the same type are categorized in the same way.
Note that if a certain type of event is already categorized, this custom categorization has no effect. Otherwise, the custom categorizations take effect on all events of the same type going forward.
If you want to also apply the changes to previously categorized events, copy the newly created update file (.csv
) to the SmartConnector installation folder as follows:
Copy from:
$ESM_HOME/user/agent/acp/categorizer/current/<vendor>/<product.csv>
Where $ESM_HOME
is the installation folder for your ESM environment.
To:
$AGENT_HOME/user/agent/acp/categorizer/current/<vendor>/<product.csv>
Where $AGENT_HOME
is the installation folder for your SmartConnector.