Home

Sending Arcsight logs on top of OMS agent via CEF

%3CLINGO-SUB%20id%3D%22lingo-sub-1030521%22%20slang%3D%22en-US%22%3ESending%20Arcsight%20logs%20on%20top%20of%20OMS%20agent%20via%20CEF%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030521%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3Ei%20need%20to%20send%20logs%20from%20Arcsight%20Smart%20connectors%20to%20the%20L.A%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20have%20added%20an%20extra%20destination%20on%20the%20Arcsight%20Log%20Forwarder%20towards%20OMS%20Server%20and%20trying%20to%20get%20the%20logs%20to%20Log%20Analytics%20with%20no%20success.%3C%2FP%3E%3CP%3EArcsight%20Smart%20Connector%20---%26gt%3BArcsight%20Log%20Forwarder%20---%26gt%3BOMS%20Server%20---%26gt%3B%20Azure%20L.A%3C%2FP%3E%3CP%3E*%20where%20is%20the%20parser%20of%20the%20OMS%20agent%20located%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3Ei%20am%20seeing%20the%20logs%20on%20the%20OMS%20server%20but%20getting%20errors%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Etcpdump%20-A%20-ni%20any%20port%2025226%20-vv%3CBR%20%2F%3Etcpdump%3A%20listening%20on%20any%2C%20link-type%20LINUX_SLL%20(Linux%20cooked)%2C%20capture%20size%20262144%20bytes%3CBR%20%2F%3E17%3A02%3A01.604687%20IP%20(tos%200x0%2C%20ttl%2064%2C%20id%2047401%2C%20offset%200%2C%20flags%20%5BDF%5D%2C%20proto%20TCP%20(6)%2C%20length%20159)%3CBR%20%2F%3E127.0.0.1.47282%20%26gt%3B%20127.0.0.1.25226%3A%20Flags%20%5BP.%5D%2C%20cksum%200xfe93%20(incorrect%20-%26gt%3B%200x68ae)%2C%20seq%201681783013%3A1681783120%2C%20ack%203624475695%2C%20win%20342%2C%20options%20%5Bnop%2Cnop%2CTS%20val%2088196652%20ecr%2088183285%5D%2C%20length%20107%3CBR%20%2F%3EE....)%40.%40..-..........b.d%3D...%20.%2F...V.......%3CBR%20%2F%3E.A.%2C.A..%26lt%3B86%26gt%3BNov%2025%2017%3A02%3A01%20Rsyslog02%20CRON%5B10356%5D%3A%20pam_unix(cron%3Asession)%3A%20session%20opened%20for%20user%20root%20by%20(uid%3D0)%3C%2FP%3E%3CP%3E17%3A02%3A01.604700%20IP%20(tos%200x0%2C%20ttl%2064%2C%20id%2014570%2C%20offset%200%2C%20flags%20%5BDF%5D%2C%20proto%20TCP%20(6)%2C%20length%2052)%3CBR%20%2F%3E127.0.0.1.25226%20%26gt%3B%20127.0.0.1.47282%3A%20Flags%20%5B.%5D%2C%20cksum%200xfe28%20(incorrect%20-%26gt%3B%200x5aed)%2C%20seq%201%2C%20ack%20107%2C%20win%206638%2C%20options%20%5Bnop%2Cnop%2CTS%20val%2088196652%20ecr%2088196652%5D%2C%20length%200%3CBR%20%2F%3EE..48.%40.%40...........b....%20.%2Fd%3D.P.....(.....%3CBR%20%2F%3E.A.%2C.A.%2C%3CBR%20%2F%3E17%3A02%3A01.606011%20IP%20(tos%200x0%2C%20ttl%2064%2C%20id%2047402%2C%20offset%200%2C%20flags%20%5BDF%5D%2C%20proto%20TCP%20(6)%2C%20length%20343)%3CBR%20%2F%3E127.0.0.1.47282%20%26gt%3B%20127.0.0.1.25226%3A%20Flags%20%5BP.%5D%2C%20cksum%200xff4b%20(incorrect%20-%26gt%3B%200x12f6)%2C%20seq%20107%3A398%2C%20ack%201%2C%20win%20342%2C%20options%20%5Bnop%2Cnop%2CTS%20val%2088196652%20ecr%2088196652%5D%2C%20length%20291%3CBR%20%2F%3EE..W.*%40.%40..t..........b.d%3D.P.%20.%2F...V.K.....%3CBR%20%2F%3E.A.%2C.A.%2C%26lt%3B78%26gt%3BNov%2025%2017%3A02%3A01%20Rsyslog02%20CRON%5B10357%5D%3A%20(root)%20CMD%20(%5B%20-f%20%2Fetc%2Fkrb5.keytab%20%5D%20%26amp%3B%26amp%3B%20%5B%20%5C(%20!%20-f%20%2Fetc%2Fopt%2Fomi%2Fcreds%2Fomi.keytab%20%5C)%20-o%20%5C(%20%2Fetc%2Fkrb5.keytab%20-nt%20%2Fetc%2Fopt%2Fomi%2Fcreds%2Fomi.keytab%20%5C)%20%5D%20%26amp%3B%26amp%3B%20%2Fopt%2Fomi%2Fbin%2Fsupport%2Fktstrip%20%2Fetc%2Fkrb5.keytab%20%2Fetc%2Fopt%2Fomi%2Fcreds%2Fomi.keytab%20%26gt%3B%2Fdev%2Fnull%202%26gt%3B%26amp%3B1%20%7C%7C%20true)%3C%2FP%3E%3CP%3E17%3A02%3A01.606018%20IP%20(tos%200x0%2C%20ttl%2064%2C%20id%2014571%2C%20offset%200%2C%20flags%20%5BDF%5D%2C%20proto%20TCP%20(6)%2C%20length%2052)%3CBR%20%2F%3E127.0.0.1.25226%20%26gt%3B%20127.0.0.1.47282%3A%20Flags%20%5B.%5D%2C%20cksum%200xfe28%20(incorrect%20-%26gt%3B%200x59ca)%2C%20seq%201%2C%20ack%20398%2C%20win%206638%2C%20options%20%5Bnop%2Cnop%2CTS%20val%2088196652%20ecr%2088196652%5D%2C%20length%200%3CBR%20%2F%3EE..48.%40.%40...........b....%20.%2Fd%3D.s.....(.....%3CBR%20%2F%3E.A.%2C.A.%2C%3CBR%20%2F%3E17%3A02%3A01.607744%20IP%20(tos%200x0%2C%20ttl%2064%2C%20id%2047403%2C%20offset%200%2C%20flags%20%5BDF%5D%2C%20proto%20TCP%20(6)%2C%20length%20148)%3CBR%20%2F%3E127.0.0.1.47282%20%26gt%3B%20127.0.0.1.25226%3A%20Flags%20%5BP.%5D%2C%20cksum%200xfe88%20(incorrect%20-%26gt%3B%200xc87d)%2C%20seq%20398%3A494%2C%20ack%201%2C%20win%20342%2C%20options%20%5Bnop%2Cnop%2CTS%20val%2088196652%20ecr%2088196652%5D%2C%20length%2096%3CBR%20%2F%3EE....%2B%40.%40..6..........b.d%3D.s.%20.%2F...V.......%3CBR%20%2F%3E.A.%2C.A.%2C%26lt%3B86%26gt%3BNov%2025%2017%3A02%3A01%20Rsyslog02%20CRON%5B10356%5D%3A%20pam_unix(cron%3Asession)%3A%20session%20closed%20for%20user%20root%3C%2FP%3E%3CP%3E17%3A02%3A01.607751%20IP%20(tos%200x0%2C%20ttl%2064%2C%20id%2014572%2C%20offset%200%2C%20flags%20%5BDF%5D%2C%20proto%20TCP%20(6)%2C%20length%2052)%3CBR%20%2F%3E127.0.0.1.25226%20%26gt%3B%20127.0.0.1.47282%3A%20Flags%20%5B.%5D%2C%20cksum%200xfe28%20(incorrect%20-%26gt%3B%200x596a)%2C%20seq%201%2C%20ack%20494%2C%20win%206638%2C%20options%20%5Bnop%2Cnop%2CTS%20val%2088196652%20ecr%2088196652%5D%2C%20length%200%3CBR%20%2F%3EE..48.%40.%40...........b....%20.%2Fd%3D.......(.....%3CBR%20%2F%3E.A.%2C.A.%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EArcsight%20log%20example%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E17%3A01%3A03.137194%20IP%20192.168.200.34.33376%20%26gt%3B%20192.168.200.35.514%3A%20%5B%7Csyslog%5D%3CBR%20%2F%3EE.....%40.%40......%22...%23.%60......CEF%3A0%7CMicrosoft%7CMicrosoft%20Windows%7CWindows%20Server%202016%7CMicrosoft-Windows-Security-Auditing%3A4689%7CA%20process%20has%20exited.%7CLow%7C%20eventId%3D119%20externalId%3D4689%20msg%3DSuccess%20categorySignificance%3D%2FInformational%20categoryBehavior%3D%2FExecute%2FStop%20categoryDeviceGroup%3D%2FOperating%20System%20catdt%3DOperating%20System%20categoryOutcome%3D%2FSuccess%20categoryObject%3D%2FHost%2FResource%2FProcess%20art%3D1574694225705%20cat%3DSecurity%20deviceSeverity%3DAudit_success%20rt%3D1574694209940%20dhost%3DLAB-AXA-Test.CP-LAB.LOCAL%20dst%3D192.168.200.33%20destinationZoneURI%3D%2FAll%20Zones%2FArcSight%20System%2FPrivate%20Address%20Space%20Zones%2FRFC1918%3A%20192.168.0.0-192.168.255.255%20dntdom%3DCP-LAB%20duser%3DLAB-AXA-TEST%24%20duid%3D0x3e7%20dproc%3DC%3A%5C%5CWindows%5C%5CSystem32%5C%5Cwbem%5C%5CWmiPrvSE.exe%20oldFileHash%3DUTF-8%7C%20cs2%3DProcess%20Termination%20cs3%3D0x1170%20cs4%3D0x0%20locality%3D0%20cs2Label%3DEventlogCategory%20cs3Label%3DProcess%20ID%20cs4Label%3DStatus%20ahost%3Dlab-axa-centos.local%20agt%3D192.168.200.34%20agentZoneURI%3D%2FAll%20Zones%2FArcSight%20System%2FPrivate%20Address%20Space%20Zones%2FRFC1918%3A%20192.168.0.0-192.168.255.255%20amac%3D00-50-56-83-69-83%20av%3D7.6.0.8009.0%20atz%3DAsia%2FJerusalem%20at%3Dsyslog%20dvchost%3DLAB-AXA-Test.CP-LAB.LOCAL%20dvc%3D192.168.200.33%20deviceZoneURI%3D%2FAll%20Zones%2FArcSight%20System%2FPrivate%20Address%20Space%20Zones%2FRFC1918%3A%20192.168.0.0-192.168.255.255%20deviceNtDomain%3DCP-LAB%20dtz%3DAsia%2FJerusalem%20_cefVer%3D0.1%20ad.EventRecordID%3D479902%20ad.ThreadID%3D2536%20ad.Opcode%3DInfo%20ad.ProcessID%3D4%20ad.Version%3D0%20ad.arcSightEventPath%3D31KjcjW4BABCABJrrC9uzYg%5C%3D%5C%3D%20aid%3D3z78dom4BABCAApaY3nt5JA%5C%3D%5C%3D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1030521%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EArcsight%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1037875%22%20slang%3D%22en-US%22%3ERe%3A%20Sending%20Arcsight%20logs%20on%20top%20of%20OMS%20agent%20via%20CEF%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1037875%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F423940%22%20target%3D%22_blank%22%3E%40omrip%3C%2FA%3E%26nbsp%3BCould%20you%20setup%20a%20CEF%20Server%20and%20have%20your%20Arcsight%20send%20the%20data%20there%20instead%20of%20OMS%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1041163%22%20slang%3D%22en-US%22%3ERe%3A%20Sending%20Arcsight%20logs%20on%20top%20of%20OMS%20agent%20via%20CEF%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041163%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F423940%22%20target%3D%22_blank%22%3E%40omrip%3C%2FA%3E%26nbsp%3B%3A%20I%20am%20not%20sure%20what%20an%20OMS%20Server%20is.%20We%20don't%20use%20this%20term.%20Did%20you%20use%20the%20instructions%20for%20setting%20up%20a%20CEF%20collector%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%3C%2FA%3E)%3F%20If%20so%2C%20did%20you%20run%20the%20troubleshooting%20script%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
omrip
Occasional Contributor

Hi

i need to send logs from Arcsight Smart connectors to the L.A 

i have added an extra destination on the Arcsight Log Forwarder towards OMS Server and trying to get the logs to Log Analytics with no success.

Arcsight Smart Connector --->Arcsight Log Forwarder --->OMS Server ---> Azure L.A

* where is the parser of the OMS agent located?

 

i am seeing the logs on the OMS server but getting errors:

tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:02:01.604687 IP (tos 0x0, ttl 64, id 47401, offset 0, flags [DF], proto TCP (6), length 159)
127.0.0.1.47282 > 127.0.0.1.25226: Flags [P.], cksum 0xfe93 (incorrect -> 0x68ae), seq 1681783013:1681783120, ack 3624475695, win 342, options [nop,nop,TS val 88196652 ecr 88183285], length 107
E....)@.@..-..........b.d=... ./...V.......
.A.,.A..<86>Nov 25 17:02:01 Rsyslog02 CRON[10356]: pam_unix(cron:session): session opened for user root by (uid=0)

17:02:01.604700 IP (tos 0x0, ttl 64, id 14570, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.25226 > 127.0.0.1.47282: Flags [.], cksum 0xfe28 (incorrect -> 0x5aed), seq 1, ack 107, win 6638, options [nop,nop,TS val 88196652 ecr 88196652], length 0
E..48.@.@...........b.... ./d=.P.....(.....
.A.,.A.,
17:02:01.606011 IP (tos 0x0, ttl 64, id 47402, offset 0, flags [DF], proto TCP (6), length 343)
127.0.0.1.47282 > 127.0.0.1.25226: Flags [P.], cksum 0xff4b (incorrect -> 0x12f6), seq 107:398, ack 1, win 342, options [nop,nop,TS val 88196652 ecr 88196652], length 291
E..W.*@.@..t..........b.d=.P. ./...V.K.....
.A.,.A.,<78>Nov 25 17:02:01 Rsyslog02 CRON[10357]: (root) CMD ([ -f /etc/krb5.keytab ] && [ \( ! -f /etc/opt/omi/creds/omi.keytab \) -o \( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)

17:02:01.606018 IP (tos 0x0, ttl 64, id 14571, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.25226 > 127.0.0.1.47282: Flags [.], cksum 0xfe28 (incorrect -> 0x59ca), seq 1, ack 398, win 6638, options [nop,nop,TS val 88196652 ecr 88196652], length 0
E..48.@.@...........b.... ./d=.s.....(.....
.A.,.A.,
17:02:01.607744 IP (tos 0x0, ttl 64, id 47403, offset 0, flags [DF], proto TCP (6), length 148)
127.0.0.1.47282 > 127.0.0.1.25226: Flags [P.], cksum 0xfe88 (incorrect -> 0xc87d), seq 398:494, ack 1, win 342, options [nop,nop,TS val 88196652 ecr 88196652], length 96
E....+@.@..6..........b.d=.s. ./...V.......
.A.,.A.,<86>Nov 25 17:02:01 Rsyslog02 CRON[10356]: pam_unix(cron:session): session closed for user root

17:02:01.607751 IP (tos 0x0, ttl 64, id 14572, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.25226 > 127.0.0.1.47282: Flags [.], cksum 0xfe28 (incorrect -> 0x596a), seq 1, ack 494, win 6638, options [nop,nop,TS val 88196652 ecr 88196652], length 0
E..48.@.@...........b.... ./d=.......(.....
.A.,.A.,

 

Arcsight log example:

17:01:03.137194 IP 192.168.200.34.33376 > 192.168.200.35.514: [|syslog]
E.....@.@......"...#.`......CEF:0|Microsoft|Microsoft Windows|Windows Server 2016|Microsoft-Windows-Security-Auditing:4689|A process has exited.|Low| eventId=119 externalId=4689 msg=Success categorySignificance=/Informational categoryBehavior=/Execute/Stop categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Resource/Process art=1574694225705 cat=Security deviceSeverity=Audit_success rt=1574694209940 dhost=LAB-AXA-Test.CP-LAB.LOCAL dst=192.168.200.33 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dntdom=CP-LAB duser=LAB-AXA-TEST$ duid=0x3e7 dproc=C:\\Windows\\System32\\wbem\\WmiPrvSE.exe oldFileHash=UTF-8| cs2=Process Termination cs3=0x1170 cs4=0x0 locality=0 cs2Label=EventlogCategory cs3Label=Process ID cs4Label=Status ahost=lab-axa-centos.local agt=192.168.200.34 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-50-56-83-69-83 av=7.6.0.8009.0 atz=Asia/Jerusalem at=syslog dvchost=LAB-AXA-Test.CP-LAB.LOCAL dvc=192.168.200.33 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 deviceNtDomain=CP-LAB dtz=Asia/Jerusalem _cefVer=0.1 ad.EventRecordID=479902 ad.ThreadID=2536 ad.Opcode=Info ad.ProcessID=4 ad.Version=0 ad.arcSightEventPath=31KjcjW4BABCABJrrC9uzYg\=\= aid=3z78dom4BABCAApaY3nt5JA\=\=

2 Replies

@omrip Could you setup a CEF Server and have your Arcsight send the data there instead of OMS?

@omrip : I am not sure what an OMS Server is. We don't use this term. Did you use the instructions for setting up a CEF collector (https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format)? If so, did you run the troubleshooting script? 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies