Updating the Logstash Config Map for Custom Data Identifiers

If you are using custom data identifiers (dids) to identify a specific data type or machine users, then you must update the logstash-config-pipeline config map with custom data identifiers so that you can view the events or explore the raw events corresponding to the anomalies of the custom dids.

  1. Open a certified web browser.

  2. Specify the following URL to log in to the OMT Management Portal: https://<OMT_masternode_hostname or virtual_ip hostname>:5443.

  3. Navigate to Cluster > Dashboard to access the Kubernetes Dashboard.

  4. Under Namespace, search and select the arcsight-installer-xxxx namespace.

  5. Under Config and Storage, click Config Maps.

  6. Click the filter icon, then search for logstash-config-pipeline.

  7. Click and select Edit.

  8. Add the required mapping corresponding to custom did under the 'filter' section of logstash-config-pipeline. For example:

    if [destinationNtDomain] {
    if [destinationNtDomain] in ['','WORKGROUP','NT SERVICE','NT AUTHORITY'] {
    mutate {
    replace => {
    "did" => "1"
    } } } } if [destinationUserName] =~ "\$$" { mutate replace => { "did" => "1" } } }
    If you have upgraded Intelligence, you can update the logstash config map with the custom did mappings used in the previous version of Intelligence, if required. To update, copy the necessary mappings from the logstash-config-pipeline config map that you had backed up prior to the upgrade.
  9. Click Update.

  10. Restart the interset-logstash pods:

    1. Launch a terminal session and log in to the master or worker node.

    2. Execute the following command to retrieve the namespace:

      export NS=$(kubectl get namespaces | grep arcsight|cut -d ' ' -f1)
    3. Execute the following commands to restart the interset-logstash pods:

      kubectl -n $NS scale statefulset interset-logstash --replicas=0
      kubectl -n $NS scale statefulset interset-logstash --replicas=3 (set as per the environment)

For more mapping instances for custom dids, contact OpenText Customer Support.