Here are the steps to import ArcSight data in 4.6 -
- Create a new data source with the device type as Arcsight (CEF). Please make sure that Arcsight (CEF) device type is present in the dropdown (registered).
- Give the filename and prefix as Arcsight. For Arcsight CEF data imports, the application goes against the Device Product field in the CEF feed.
- Navigate to Step-2 (Select Events to Import). Expand the More Settings tab and enable the 'Use CEF Parser?' option to yes. Specify the CEF properties filename (i.e. 'arcsight.properties', make sure the file is present under '$SECURONIX_HOME/conf/ folder)
- Click on Save and Next. Create the necessary correlation rules.
- Before firing the import, make sure that there is a folder named 'data' under '$SECURONIX_HOME/agent/'. If this folder is not present, create this folder under the agent directory.
These are the steps to configure and import Arcsight data in Profiler 4.6
31 Oct '14, 03:10