Course: ASFC160-76

ArcSight FlexConnector Configuration

Virtual Instructor Led Training

Authorised OpenText Trainer

Difficulty Rating

Course Duration: 5 Days

The participants will obtain certificates signed by OpenText (course completion).

Course Description

ArcSight FlexConnector Configuration provides you with an overview of the ArcSight SmartConnectors components and explains the ArcSight ESM Schema. It teaches you how to construct and manipulate FlexConnector configuration and property files and use various parsing methods including fixed delimited, regular expressions, syslog, and JSON. Examples from standard connectors are used to illustrate device-specific methodologies. Advanced configuration options such as multi-line Regex, parser linking and conditional mapping are also covered.

Upon successful completion of this course, you should be able to:

  • Install ArcSight Connector software, configure a functional FlexConnector, and test with an ESM Active Channel

  • Use the FlexConnector Wizard to create fixed delimited configuration files

  • Use the Regex Tester tool to create common and sub-message parsing and token-to-event mapping

  • Create a tailored Categorization file for a parent FlexConnector and test its function in an active channel

  • Navigate the connector configuration file hierarchy to locate, display and edit 

Modules

  1. Introduction to FlexConnector

  2. Using the ArcSight Schema

  3. Basic Configuration File and Categorisation

  4. Regex FlexConnectors

  5. Installing ESM Syslog Connectors with Custom Parsers

  6. JSON Folder Follower Connector

  7. Advanced Topics

    • Multi-line Regex configuration parameters

    • Parser linking

    • Define and create conditional mapping configurations

    • LogFu tool which reads and parses ArcSight logs and generates interactive visual presentations of them

Intended Audience

This course is intended for security administrators, content authors/architects, and IT integrators, who build and install custom connectors to provide critical event data feeds to ArcSight ESM or Logger. This can include senior analysts for networks, security systems, enterprise applications and databases.

Recommended Skills

  • Successful completion of ArcSight ESM Admin and Analyst course

  • Successful completion of ArcSight ESM Advanced Administrator course

  • Working knowledge of Regular Expressions