How do we configure and import ArcSight CEF data in 4.6?

asked 31 Oct '14, 03:02

Aditya's gravatar image

Aditya
10017
accept rate: 6%


Here are the steps to import ArcSight data in 4.6 -

  1. Create a new data source with the device type as Arcsight (CEF). Please make sure that Arcsight (CEF) device type is present in the dropdown (registered).
  2. Give the filename and prefix as Arcsight. For Arcsight CEF data imports, the application goes against the Device Product field in the CEF feed.
  3. Navigate to Step-2 (Select Events to Import). Expand the More Settings tab and enable the 'Use CEF Parser?' option to yes. Specify the CEF properties filename (i.e. 'arcsight.properties', make sure the file is present under '$SECURONIX_HOME/conf/ folder)
  4. Click on Save and Next. Create the necessary correlation rules.
  5. Before firing the import, make sure that there is a folder named 'data' under '$SECURONIX_HOME/agent/'. If this folder is not present, create this folder under the agent directory.

These are the steps to configure and import Arcsight data in Profiler 4.6

link

answered 31 Oct '14, 03:10

Aditya's gravatar image

Aditya
10017
accept rate: 6%

In these, second steps is optional.

link

answered 03 Nov '14, 00:31

Praful's gravatar image

Praful ♦♦
1264923
accept rate: 5%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×6
×4
×3

Asked: 31 Oct '14, 03:02

Seen: 1,298 times

Last updated: 03 Nov '14, 00:31