Presentation is loading. Please wait.

Presentation is loading. Please wait.

Flex Connector for importing large Active List Entries

Published bySherman Manning Modified over 5 years ago

Similar presentations

Presentation on theme: "Flex Connector for importing large Active List Entries"— Presentation transcript:

1 Flex Connector for importing large Active List Entries
Raju Gottumukkala Enterprise Expert August 2010

2 Flex Connector to import large Active Lists
How do you import very large values into Active Lists? You may create a custom archive file and use “arcsight archive” Manager can not handle large archive files Which means you have to split the input into multiple archive files and manage the import process which is a pain You may use the Console and right click on the AL and import Again large files are a pain and the process is manual You can send events to ESM via a flex connector and write a rule that populates the values to AL Excessive firing of rule and overloaded process Creates many internal events also WELCOME to a brand new approach © 2009 ArcSight Confidential 2

3 Example Import of Active List (AL)
AL: Black List from SANS Has 1 column with a type of IPAddress

4 Example Data file that will be imported into AL

5 Flex Connector to import large Active Lists
Create any regular flex connector to read the data corresponding to the Active List File, Database, Syslog etc Define Tokens only and do not map to fields Map tokens to additional data Additional Data field name can be anything In this example I am reading only IP Addresses from the file with the token name of IP and mapping it to IP_ADDRESS in additional data Set the Creation Date to Now – converted to milliseconds additionaldata.CREATE_DATE=__concatenate(__longToString(__currentTimestampInSeconds()),"000") © 2009 ArcSight Confidential 5

6 Flex Connector to import large Active Lists
Define the properties to invoke Model Import feature Define the property to invoke the custom Velocity Macro file that converts the data into the ArcSight Archive event.deviceCustomString2=__stringConstant(ips.vm) event.deviceVendor=__stringConstant(ArcSight) event.deviceProduct=__stringConstant(FlexArchiveImport) event.deviceCustomString1Label=__stringConstant(model.sender) event.deviceCustomString1=__stringConstant(sans) event.deviceCustomString2Label=__stringConstant(model.template) © 2009 ArcSight Confidential 6

7 Example Flex Properties file
comments.start.with=# delimiter=, token.count=1 token[0].name=IP token[0].type=String additionaldata.enabled=true additionaldata.IP_ADDRESS=IP additionaldata.CREATE_DATE=__concatenate(__longToString(__currentTimestampInSeconds()),"000") event.deviceVendor=__stringConstant(ArcSight) event.deviceProduct=__stringConstant(FlexArchiveImport) event.deviceCustomString1Label=__stringConstant(model.sender) event.deviceCustomString1=__stringConstant(sans) event.deviceCustomString2Label=__stringConstant(model.template) event.deviceCustomString2=__stringConstant(ips.vm)

8 Set Model Import User for the Connector

9 Create the Velocity Macro Template
Create the VM file defined in the flex properties file and place it in the user/agent/fcp directory: In our example it’s called ips.vm <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE archive SYSTEM "../../schema/xml/archive/arcsight-archive.dtd"> <archive buildVersion=" " buildTime=" _18:36:22" user="admin" createTime=" _14:41:19.312"> <ActiveList name="Black List from SANS" action="insert" > <insertListEntries> <list> #foreach($ip in $IP_ADDRESS) <map> <count>1</count> <creationTime>$CREATE_DATE.get($velocityCount)</creationTime> <lastModifiedTime> </lastModifiedTime> <values> <string>$ip</string> </list> </values> </map> #end </insertListEntries> <childOf> <ref type="Group" uri="/All Active Lists/Personal/admin's Active Lists/"/> </childOf> <eventBound>false</eventBound> <hashBased>false</hashBased> <ttl>0</ttl> </ActiveList> </archive> © 2009 ArcSight Confidential 9

10 Create the Velocity Macro Template
Depending upon the Connector build (for example: 5594), you may have to use this without the XML header and closing tag <ActiveList name="Black List from SANS" action="insert" > <insertListEntries> <list> #foreach($ip in $IP_ADDRESS) <map> <count>1</count> <creationTime>$CREATE_DATE.get($velocityCount)</creationTime> <lastModifiedTime> </lastModifiedTime> <values> <string>$ip</string> </list> </values> </map> #end </insertListEntries> <childOf> <ref type="Group" uri="/All Active Lists/Personal/admin's Active Lists/"/> </childOf> <eventBound>false</eventBound> <hashBased>false</hashBased> <ttl>0</ttl> </ActiveList> © 2009 ArcSight Confidential 10

11 Explanation of Velocity Macro Template
Edit the XML file and change the Active List name and Group URI Change ttl if necessary or you may remove the property also Notice the foreach loop $ip is a local variable and $IP_ADDRESS is the Additional Data field specified in properties file If there are multiple columns in AL then you need to place them within the <values> and <list> loop where the $ip is specified Assuming there are 2 fields in the AL with UserName and UserMachine then: additionaldata.USER_MACHINE=token2 additionaldata.USER_NAME=token1 foreach loop in the vm file may look like this foreach($user in $USER_NAME) Then the values specification will look like this: <string>$USER_MACHINE.get($velocityCount)</string> <string>$user</string> Here $user is defined in the foreach loop hence does not require get VelocityCount specification ipAddress is also a string type for the archive template © 2009 ArcSight Confidential 11

12 © 2009 ArcSight Confidential
Other things Make sure to use Agent Software build 5427 or higher Check $managerDir\archive\webservice directory for xml files that are sent from the Agent to Manager You may add “if” statements to the vm file © 2009 ArcSight Confidential 12

13 © 2009 ArcSight Confidential
Gotchas! Edit the agent.properties and add the following agent.component[34].maxeventsbeforebuild=20000 agent.component[34].buildmodeldelay=90000 This component (34) could be different for ModelBuilder depending upon the connector build Search config/agent/agent.defaults.properties file for ModelBuilder Play with maxeventsbeforebuild parameter I ran into connector default memory issues with but entries was ok Try not to go beyond the number, otherwise the archive file could become huge and cause problems © 2009 ArcSight Confidential 13

14 ArcSight, Inc. Corporate Headquarters: ARST EMEA Headquarters: +44 (0) Asia Pac Headquarters:

Download ppt "Flex Connector for importing large Active List Entries"

Similar presentations

Exporting Records to a File. Perform a search and retrieve records on the Search Results screen.

Exporting Records to a File. Perform a search and retrieve records on the Search Results screen.
Extended DISC Online System User Instruction: How to Run a Team Analysis.

Extended DISC Online System User Instruction: How to Run a Team Analysis.
Customizing the MOSS 2007 Search Results November 2007 Rafael Perez.

Customizing the MOSS 2007 Search Results November 2007 Rafael Perez.
Guide to MCSE 70-290, Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.

Guide to MCSE , Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.
6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Understanding the School Set Up Menu Presented by: Josh Mostyn Presented by: Josh.

6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Understanding the School Set Up Menu Presented by: Josh Mostyn Presented by: Josh.
Getting Started: Ansoft HFSS 8.0

Getting Started: Ansoft HFSS 8.0
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Python and Web Programming

Python and Web Programming
8/6/2015Auto Attendants 1 Smarter Communications.

8/6/2015Auto Attendants 1 Smarter Communications.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Unity Connection 7.0 Directory Integration TOI Manoj Agrawal

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Unity Connection 7.0 Directory Integration TOI Manoj Agrawal
1 © 2001, Cisco Systems, Inc. All rights reserved. Voice Connector Features 4.0.5 Voicemail Interoperability – 4.0(5) Voice Connector features Rahul Singh.

1 © 2001, Cisco Systems, Inc. All rights reserved. Voice Connector Features Voic Interoperability – 4.0(5) Voice Connector features Rahul Singh.
Advance Ship Notices Training Presentation for Supply Chain Platform: BAE Systems July 2012.

Advance Ship Notices Training Presentation for Supply Chain Platform: BAE Systems July 2012.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
4/20/2017 10:34 AM b2Win 8.0 Ultimate software utility for converting Baan/Infor ERP LN reports directly into Microsoft Excel, Microsoft Word, PDF, XML,

4/20/ :34 AM b2Win 8.0 Ultimate software utility for converting Baan/Infor ERP LN reports directly into Microsoft Excel, Microsoft Word, PDF, XML,
8 Copyright © 2004, Oracle. All rights reserved. Creating LOVs and Editors.

8 Copyright © 2004, Oracle. All rights reserved. Creating LOVs and Editors.
1 Chapter 6 – Creating Web Forms and Validating User Input spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information.

1 Chapter 6 – Creating Web Forms and Validating User Input spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information.
LATTICE TECHNOLOGY, INC. For Version 10.0 and later XVL Web Master Advanced Tutorial For Version 10.0 and later.

LATTICE TECHNOLOGY, INC. For Version 10.0 and later XVL Web Master Advanced Tutorial For Version 10.0 and later.
Advanced Excel for Finance Professionals A self study material from South Asian Management Technologies Foundation.

Advanced Excel for Finance Professionals A self study material from South Asian Management Technologies Foundation.
4-1 INTERNET DATABASE CONNECTOR Colorado Technical University IT420 Tim Peterson.

4-1 INTERNET DATABASE CONNECTOR Colorado Technical University IT420 Tim Peterson.
LATTICE TECHNOLOGY, INC. For Version 3.0 and later iXVL Publisher Tutorial For Version 3.0 and later.

LATTICE TECHNOLOGY, INC. For Version 3.0 and later iXVL Publisher Tutorial For Version 3.0 and later.

Similar presentations

Ads by Google