Sending Arcsight logs on top of OMS agent via CEF

Copper Contributor

Hi

i need to send logs from Arcsight Smart connectors to the L.A 

i have added an extra destination on the Arcsight Log Forwarder towards OMS Server and trying to get the logs to Log Analytics with no success.

Arcsight Smart Connector --->Arcsight Log Forwarder --->OMS Server ---> Azure L.A

* where is the parser of the OMS agent located?

 

i am seeing the logs on the OMS server but getting errors:

tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:02:01.604687 IP (tos 0x0, ttl 64, id 47401, offset 0, flags [DF], proto TCP (6), length 159)
127.0.0.1.47282 > 127.0.0.1.25226: Flags [P.], cksum 0xfe93 (incorrect -> 0x68ae), seq 1681783013:1681783120, ack 3624475695, win 342, options [nop,nop,TS val 88196652 ecr 88183285], length 107
E....)@.@..-..........b.d=... ./...V.......
.A.,.A..<86>Nov 25 17:02:01 Rsyslog02 CRON[10356]: pam_unix(cron:session): session opened for user root by (uid=0)

17:02:01.604700 IP (tos 0x0, ttl 64, id 14570, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.25226 > 127.0.0.1.47282: Flags [.], cksum 0xfe28 (incorrect -> 0x5aed), seq 1, ack 107, win 6638, options [nop,nop,TS val 88196652 ecr 88196652], length 0
E..48.@.@...........b.... ./d=.P.....(.....
.A.,.A.,
17:02:01.606011 IP (tos 0x0, ttl 64, id 47402, offset 0, flags [DF], proto TCP (6), length 343)
127.0.0.1.47282 > 127.0.0.1.25226: Flags [P.], cksum 0xff4b (incorrect -> 0x12f6), seq 107:398, ack 1, win 342, options [nop,nop,TS val 88196652 ecr 88196652], length 291
E..W.*@.@..t..........b.d=.P. ./...V.K.....
.A.,.A.,<78>Nov 25 17:02:01 Rsyslog02 CRON[10357]: (root) CMD ([ -f /etc/krb5.keytab ] && [ \( ! -f /etc/opt/omi/creds/omi.keytab \) -o \( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)

17:02:01.606018 IP (tos 0x0, ttl 64, id 14571, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.25226 > 127.0.0.1.47282: Flags [.], cksum 0xfe28 (incorrect -> 0x59ca), seq 1, ack 398, win 6638, options [nop,nop,TS val 88196652 ecr 88196652], length 0
E..48.@.@...........b.... ./d=.s.....(.....
.A.,.A.,
17:02:01.607744 IP (tos 0x0, ttl 64, id 47403, offset 0, flags [DF], proto TCP (6), length 148)
127.0.0.1.47282 > 127.0.0.1.25226: Flags [P.], cksum 0xfe88 (incorrect -> 0xc87d), seq 398:494, ack 1, win 342, options [nop,nop,TS val 88196652 ecr 88196652], length 96
E....+@.@..6..........b.d=.s. ./...V.......
.A.,.A.,<86>Nov 25 17:02:01 Rsyslog02 CRON[10356]: pam_unix(cron:session): session closed for user root

17:02:01.607751 IP (tos 0x0, ttl 64, id 14572, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.25226 > 127.0.0.1.47282: Flags [.], cksum 0xfe28 (incorrect -> 0x596a), seq 1, ack 494, win 6638, options [nop,nop,TS val 88196652 ecr 88196652], length 0
E..48.@.@...........b.... ./d=.......(.....
.A.,.A.,

 

Arcsight log example:

17:01:03.137194 IP 192.168.200.34.33376 > 192.168.200.35.514: [|syslog]
E.....@.@......"...#.`......CEF:0|Microsoft|Microsoft Windows|Windows Server 2016|Microsoft-Windows-Security-Auditing:4689|A process has exited.|Low| eventId=119 externalId=4689 msg=Success categorySignificance=/Informational categoryBehavior=/Execute/Stop categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Resource/Process art=1574694225705 cat=Security deviceSeverity=Audit_success rt=1574694209940 dhost=LAB-AXA-Test.CP-LAB.LOCAL dst=192.168.200.33 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dntdom=CP-LAB duser=LAB-AXA-TEST$ duid=0x3e7 dproc=C:\\Windows\\System32\\wbem\\WmiPrvSE.exe oldFileHash=UTF-8| cs2=Process Termination cs3=0x1170 cs4=0x0 locality=0 cs2Label=EventlogCategory cs3Label=Process ID cs4Label=Status ahost=lab-axa-centos.local agt=192.168.200.34 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-50-56-83-69-83 av=7.6.0.8009.0 atz=Asia/Jerusalem at=syslog dvchost=LAB-AXA-Test.CP-LAB.LOCAL dvc=192.168.200.33 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 deviceNtDomain=CP-LAB dtz=Asia/Jerusalem _cefVer=0.1 ad.EventRecordID=479902 ad.ThreadID=2536 ad.Opcode=Info ad.ProcessID=4 ad.Version=0 ad.arcSightEventPath=31KjcjW4BABCABJrrC9uzYg\=\= aid=3z78dom4BABCAApaY3nt5JA\=\=

2 Replies

@omrip Could you setup a CEF Server and have your Arcsight send the data there instead of OMS?

@omrip : I am not sure what an OMS Server is. We don't use this term. Did you use the instructions for setting up a CEF collector (https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format)? If so, did you run the troubleshooting script?