ArcSight Discussions
cancel

agentSeverity Unknown & RAW CEF:0|||||

Highlighted
Sheyar Regular Contributor.
Regular Contributor.

agentSeverity Unknown & RAW CEF:0|||||

I have ArcSight Logger: 6.5.0.8152.0 and Smart Connector: 7.7.6

In the First we have the Problem, that alotof devices have the CEF:0|Unix|Unix||arcsight:10:120

I wanted to solve that, therfore i have adjusted the usecustomsubagentlist=true,

and moved/removed the Syslog Properties then started the Connector.

After that i received alot of Events from the same Devices, those have the agentSeverity Unknown & RAW   CEF:0|||||

Before the adjusting these Events had CEF:0|Unix|Unix||arcsight:10:120

Discussion.PNG

Can you help me to solve that please??

3 REPLIES
Marius Honored Contributor.
Honored Contributor.

Re: agentSeverity Unknown & RAW CEF:0|||||

Which parser is it supposed to have then? Another one in your parser list? You can choose which parsers are loaded on the connector, so the easiest is to just remove all except the one you need.

What products and format are you sending to it?

Sheyar Regular Contributor.
Regular Contributor.

Re: agentSeverity Unknown & RAW CEF:0|||||

I have just the Folowing Parser  ( ArcSight-7.7.6.8063.0-ConnectorParsers )

You can see the agent.Properties and the Severities mapping in the Screen shots.

I don't know what should i adjust ?agenteProperties.PNGDeviceSeverity.PNG

Marius Honored Contributor.
Honored Contributor.

Re: agentSeverity Unknown & RAW CEF:0|||||

I would need to know which product you are sending in first, like which brand are the logsource?

Normally this should fix itself, but i want to ensure the product is supported first. If it is not supported, then that is the issue.

But i do see often logs from cisco for example, being caught by the wrong parser. We normally make a practice of only having the correct parser in the "agent[0].customsubagentlist" or at least change the order of them.

Key Links
 

GDPR goes into effect on 25 May 2018!

We have created a 9-webinar series, (1 overview webinar and 8 use-cases) aligned to the ‘five critical technology capabilities for GDPR compliance scenarios’ as set out by PwC. Find more details and links here!

  Accidental non-compliance could be costly!

Top Contributors Last 30 Days