Flex Connector for importing large Active List Entries

Slides:



Advertisements
Similar presentations
Exporting Records to a File. Perform a search and retrieve records on the Search Results screen.
Advertisements

Extended DISC Online System User Instruction: How to Run a Team Analysis.
Customizing the MOSS 2007 Search Results November 2007 Rafael Perez.
Guide to MCSE , Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.
6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Understanding the School Set Up Menu Presented by: Josh Mostyn Presented by: Josh.
Getting Started: Ansoft HFSS 8.0
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Python and Web Programming
8/6/2015Auto Attendants 1 Smarter Communications.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Unity Connection 7.0 Directory Integration TOI Manoj Agrawal
1 © 2001, Cisco Systems, Inc. All rights reserved. Voice Connector Features Voic Interoperability – 4.0(5) Voice Connector features Rahul Singh.
Advance Ship Notices Training Presentation for Supply Chain Platform: BAE Systems July 2012.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
4/20/ :34 AM b2Win 8.0 Ultimate software utility for converting Baan/Infor ERP LN reports directly into Microsoft Excel, Microsoft Word, PDF, XML,
8 Copyright © 2004, Oracle. All rights reserved. Creating LOVs and Editors.
1 Chapter 6 – Creating Web Forms and Validating User Input spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information.
LATTICE TECHNOLOGY, INC. For Version 10.0 and later XVL Web Master Advanced Tutorial For Version 10.0 and later.
Advanced Excel for Finance Professionals A self study material from South Asian Management Technologies Foundation.
4-1 INTERNET DATABASE CONNECTOR Colorado Technical University IT420 Tim Peterson.
LATTICE TECHNOLOGY, INC. For Version 3.0 and later iXVL Publisher Tutorial For Version 3.0 and later.
First Screen : First window form will always remain open, for the user to select menu options. 1.
LiveCycle Data Services Introduction Part 2. Part 2? This is the second in our series on LiveCycle Data Services. If you missed our first presentation,
Multi-Part Requests/ Parent & Child Service Items.
Copyright 2007, Paradigm Publishing Inc. Word 2007 Chapter 8 BACKNEXTEND 8-1 LINKS TO OBJECTIVES Create and Merge Creating a Data Source Creating a Data.
Chapter 8 iComponents and Parameters. After completing this chapter, you will be able to perform the following: –Create iMates –Change the display of.
Course # PEMS Version 2.0 Upgrades. Unit 8 PEMS Version 2.0 Upgrades Several improvements to PEMS application  Improvements based on: - Change.
Specview 32 Release 2.5 Enhancements
GDT Development Tutorial. GDT Development Tutorial Doug Evans and Detlef Lexut GDT 2008 International User Conference August 10 – 13  Lake Las Vegas,
6 th Annual Focus Users’ Conference Manage Integrations Presented by: Mike Morris.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
© MIT 2000 Building Web Applications With Webjects Michael D. Barker The MIT Educational Media Creation Center September 2001.
Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.
GTR Data Inc. Welcome to our EDI Demonstration G.T.R. Data Inc. August 1997.
2008 D-Link Switch Training. 2 2 DHCP Relay Agent Information (Option 60/61)
Microsoft FrontPage 2003 Illustrated Complete Creating a Form.
6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Import Testing Data Presented by: Adrian Ruiz Presented by: Adrian Ruiz.
Copyright © 2012 UNICOM Systems, Inc. Confidential Information z/Ware Product Overview illustro Systems International A Division of UNICOM Global.
1 PL\SQL Dev Templates. 2 TEMPLATE DEFINITION Whenever you create a new program unit, its initial contents are based upon a template which contains pre-defined.
ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.
ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Database (Microsoft Access). Database A database is an organized collection of related data about a specific topic or purpose. Examples of databases include:
Emdeon Office Batch Management Services This document provides detailed information on Batch Import Services and other Batch features.
Appendix A 12.0 Workbench Environment
Product Training Program
Integrating ArcSight with Enterprise Ticketing Systems
Integrating ArcSight with Enterprise Ticketing Systems
Till Jaeger / Damian Skeeles EMEA SE Team November 2010
Project Management: Messages
Mail Merge for Lotus Notes and Excel User Guide
Nicholas Hsiao Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this.
JustWare Mobile | Anthony Munar and Chris Dockstader
Creating LOVs and Editors
Mail Merge for Lotus Notes and Excel User Guide
Data Virtualization Tutorial: XSLT and Streaming Transformations
Play Framework: Introduction
ITM 352 Cookies.
Core LIMS Training: Advanced Administration
To the ETS – Agreement Management Online Training Course
Quickr Domino – Master Class
How to Search Transactions in QuickBooks?
Marking a Piece of Equipment for Transfer/Scrap/Withdrawal
Placing an order for Etherway Copper
Lesson 6: Protecting, Maintaining and Managing Databases
Configuring Internet-related services
Data Upload & Management
Architecture + system-based How to assign passwords
To the ETS – Agreement Management Online Training Course
Programming Assignment #1
ESeries Widgets Justin Kishbaugh.
Presentation transcript:

Flex Connector for importing large Active List Entries Raju Gottumukkala Enterprise Expert August 2010

Flex Connector to import large Active Lists How do you import very large values into Active Lists? You may create a custom archive file and use “arcsight archive” Manager can not handle large archive files Which means you have to split the input into multiple archive files and manage the import process which is a pain You may use the Console and right click on the AL and import Again large files are a pain and the process is manual You can send events to ESM via a flex connector and write a rule that populates the values to AL Excessive firing of rule and overloaded process Creates many internal events also WELCOME to a brand new approach www.arcsight.com © 2009 ArcSight Confidential 2

Example Import of Active List (AL) AL: Black List from SANS Has 1 column with a type of IPAddress

Example Data file that will be imported into AL 222.073.204.093 222.073.044.241 222.073.204.018 198.189.053.081 211.157.113.012 190.210.025.161 217.018.151.006 211.119.115.003 212.065.146.025 207.250.047.137

Flex Connector to import large Active Lists Create any regular flex connector to read the data corresponding to the Active List File, Database, Syslog etc Define Tokens only and do not map to fields Map tokens to additional data Additional Data field name can be anything In this example I am reading only IP Addresses from the file with the token name of IP and mapping it to IP_ADDRESS in additional data Set the Creation Date to Now – converted to milliseconds additionaldata.CREATE_DATE=__concatenate(__longToString(__currentTimestampInSeconds()),"000") www.arcsight.com © 2009 ArcSight Confidential 5

Flex Connector to import large Active Lists Define the properties to invoke Model Import feature Define the property to invoke the custom Velocity Macro file that converts the data into the ArcSight Archive event.deviceCustomString2=__stringConstant(ips.vm) event.deviceVendor=__stringConstant(ArcSight) event.deviceProduct=__stringConstant(FlexArchiveImport) event.deviceCustomString1Label=__stringConstant(model.sender) event.deviceCustomString1=__stringConstant(sans) event.deviceCustomString2Label=__stringConstant(model.template) www.arcsight.com © 2009 ArcSight Confidential 6

Example Flex Properties file comments.start.with=# delimiter=, token.count=1 token[0].name=IP token[0].type=String additionaldata.enabled=true additionaldata.IP_ADDRESS=IP additionaldata.CREATE_DATE=__concatenate(__longToString(__currentTimestampInSeconds()),"000") event.deviceVendor=__stringConstant(ArcSight) event.deviceProduct=__stringConstant(FlexArchiveImport) event.deviceCustomString1Label=__stringConstant(model.sender) event.deviceCustomString1=__stringConstant(sans) event.deviceCustomString2Label=__stringConstant(model.template) event.deviceCustomString2=__stringConstant(ips.vm)

Set Model Import User for the Connector

Create the Velocity Macro Template Create the VM file defined in the flex properties file and place it in the user/agent/fcp directory: In our example it’s called ips.vm <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE archive SYSTEM "../../schema/xml/archive/arcsight-archive.dtd"> <archive buildVersion="4.5.1.14375.2" buildTime="10-12-2009_18:36:22" user="admin" createTime="11-30-2009_14:41:19.312"> <ActiveList name="Black List from SANS" action="insert" > <insertListEntries> <list> #foreach($ip in $IP_ADDRESS) <map> <count>1</count> <creationTime>$CREATE_DATE.get($velocityCount)</creationTime> <lastModifiedTime>1254785518000</lastModifiedTime> <values> <string>$ip</string> </list> </values> </map> #end </insertListEntries> <childOf> <ref type="Group" uri="/All Active Lists/Personal/admin's Active Lists/"/> </childOf> <eventBound>false</eventBound> <hashBased>false</hashBased> <ttl>0</ttl> </ActiveList> </archive> www.arcsight.com © 2009 ArcSight Confidential 9

Create the Velocity Macro Template Depending upon the Connector build (for example: 5594), you may have to use this without the XML header and closing tag <ActiveList name="Black List from SANS" action="insert" > <insertListEntries> <list> #foreach($ip in $IP_ADDRESS) <map> <count>1</count> <creationTime>$CREATE_DATE.get($velocityCount)</creationTime> <lastModifiedTime>1254785518000</lastModifiedTime> <values> <string>$ip</string> </list> </values> </map> #end </insertListEntries> <childOf> <ref type="Group" uri="/All Active Lists/Personal/admin's Active Lists/"/> </childOf> <eventBound>false</eventBound> <hashBased>false</hashBased> <ttl>0</ttl> </ActiveList> www.arcsight.com © 2009 ArcSight Confidential 10

Explanation of Velocity Macro Template Edit the XML file and change the Active List name and Group URI Change ttl if necessary or you may remove the property also Notice the foreach loop $ip is a local variable and $IP_ADDRESS is the Additional Data field specified in properties file If there are multiple columns in AL then you need to place them within the <values> and <list> loop where the $ip is specified Assuming there are 2 fields in the AL with UserName and UserMachine then: additionaldata.USER_MACHINE=token2 additionaldata.USER_NAME=token1 foreach loop in the vm file may look like this foreach($user in $USER_NAME) Then the values specification will look like this: <string>$USER_MACHINE.get($velocityCount)</string> <string>$user</string> Here $user is defined in the foreach loop hence does not require get VelocityCount specification ipAddress is also a string type for the archive template www.arcsight.com © 2009 ArcSight Confidential 11

© 2009 ArcSight Confidential Other things Make sure to use Agent Software build 5427 or higher Check $managerDir\archive\webservice directory for xml files that are sent from the Agent to Manager You may add “if” statements to the vm file www.arcsight.com © 2009 ArcSight Confidential 12

© 2009 ArcSight Confidential Gotchas! Edit the agent.properties and add the following agent.component[34].maxeventsbeforebuild=20000 agent.component[34].buildmodeldelay=90000 This component (34) could be different for ModelBuilder depending upon the connector build Search config/agent/agent.defaults.properties file for ModelBuilder Play with maxeventsbeforebuild parameter I ran into connector default memory issues with 20000 but 10000 entries was ok Try not to go beyond the 20000 number, otherwise the archive file could become huge and cause problems www.arcsight.com © 2009 ArcSight Confidential 13

ArcSight, Inc. Corporate Headquarters: 1 888 415 ARST EMEA Headquarters: +44 (0)844 745 2068 Asia Pac Headquarters: +65 6248 4795 www.arcsight.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.