NOTICE: Branded Content
NOTICE: Certain versions of content (“Material”) accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.
ArcSight User Discussions
cancel

agentSeverity Unknown & RAW CEF:0|||||

Highlighted
Sheyar Trusted Contributor.
Trusted Contributor.

agentSeverity Unknown & RAW CEF:0|||||

I have ArcSight Logger: 6.5.0.8152.0 and Smart Connector: 7.7.6

In the First we have the Problem, that alotof devices have the CEF:0|Unix|Unix||arcsight:10:120

I wanted to solve that, therfore i have adjusted the usecustomsubagentlist=true,

and moved/removed the Syslog Properties then started the Connector.

After that i received alot of Events from the same Devices, those have the agentSeverity Unknown & RAW   CEF:0|||||

Before the adjusting these Events had CEF:0|Unix|Unix||arcsight:10:120

Discussion.PNG

Can you help me to solve that please??

4 REPLIES
Knowledge Partner
Knowledge Partner

Re: agentSeverity Unknown & RAW CEF:0|||||

Which parser is it supposed to have then? Another one in your parser list? You can choose which parsers are loaded on the connector, so the easiest is to just remove all except the one you need.

What products and format are you sending to it?

Sheyar Trusted Contributor.
Trusted Contributor.

Re: agentSeverity Unknown & RAW CEF:0|||||

I have just the Folowing Parser  ( ArcSight-7.7.6.8063.0-ConnectorParsers )

You can see the agent.Properties and the Severities mapping in the Screen shots.

I don't know what should i adjust ?agenteProperties.PNGDeviceSeverity.PNG

Knowledge Partner
Knowledge Partner

Re: agentSeverity Unknown & RAW CEF:0|||||

I would need to know which product you are sending in first, like which brand are the logsource?

Normally this should fix itself, but i want to ensure the product is supported first. If it is not supported, then that is the issue.

But i do see often logs from cisco for example, being caught by the wrong parser. We normally make a practice of only having the correct parser in the "agent[0].customsubagentlist" or at least change the order of them.

Sheyar Trusted Contributor.
Trusted Contributor.

Re: agentSeverity Unknown & RAW CEF:0|||||

Hallo agin :)

I have the Problem by these Produckts, these Produckts have CEV:|UNIX|UNIX

HP J9851A Switch 5412Rzl2 HP J8697A Switch 5406zl ProCurve J9086A Switch 2610-24/12PWR ProCurve J8773A Switch 4208vl ATI AT-8000S HP Switch 5406Rzl2 VSF VC P 3800 Switch Stack  

 

I have Also: HPE_H3C, HPE_ProCurve, CISCO_Router, JUNOS and ArcSight  these kind of Produckts had been caught Right.

RAW.PNG

Key Links

Micro Focus is looking for research study participants to help us improve our website. Tell us what you think, and in exchange for your time we'll send you a small thank-you, like a gift card. Sign up or learn more 

Top Contributors Last 30 Days