Personal blog of Alex Muratov

Smart Connector “Filter Out” issue

Posted on July 8, 2014 | in ArcSight, SIEM | by

The Connectors logs will show something like this:

[2014-06-30 12:15:59,324][ERROR][default.com.arcsight.agent.ob.g][init] com.arcsight.common.zones.parser.d: Lexical error at line 1, column 17. Encountered: "&" (38), after : "" at com.arcsight.common.zones.parser.ZoneParserTokenManager.getNextToken(ZoneParserTokenManager.java:2

The latest version of Connector Appliance 6.4 Patch 3 (6.4.0.6661.0) is affected.

Let’s take a look what is going on under the hood. Each Smart Connector has few configuration files: agent.properties and one or more XML configuration files that contain all settings like batching parameters, aggregation parameters, etc, etc. A Smart Connector actually is a container that can have few Connectors (sub-agents) and each defined Connector has an associated XML configuration file. First of all let’s see where Smart Connector stores a filter out expression when it is created via ESM ArcSight.

./user/agent/agent.properties:

agents[0].destination[0].agentid=3W3zEHkUBABCmGqXOpqun3Q==

3W3zEHkUBABCmGqXOpqun3Q==.xml:

deviceEventClassId EQ "1001"" zonebasedfiltering.zonedefinitionOriginal="deviceVendor EQ "Unix" And deviceEventClassId EQ "1001"" zonebasedfiltering.zonedefinitionhigh="false" zonebasedfiltering.zonedefinitionhighOriginal="false" zonebasedfiltering.zonedefinitionlow="false" zonebasedfiltering.zonedefinitionlowOriginal="false" zonebasedfiltering.zonedefinitionmedium="false" zonebasedfiltering.zonedefinitionmediumOriginal="false" zonebasedfiltering.zonedefinitionunknown="false" zonebasedfiltering.zonedefinitionunknownOriginal="false" zonebasedfiltering.zonedefinitionveryhigh="false" zonebasedfiltering.zonedefinitionveryhighOriginal="false" />

What we see: there are two identical parameters – “zonebasedfiltering.zonedefinition” and “zonebasedfiltering.zonedefinitionOriginal“. Also few other parameters like zonebasedfiltering.zonedefinitionhigh are set to “false”. Also quotes in the filter string was encoded to " according to HTML rules.

Let’s see how the same configuration looks when we update it via Smart Connector configuration editor at the Connector Appliance:

deviceEventClassId EQ "1001"" zonebasedfiltering.zonedefinitionOriginal="" zonebasedfiltering.zonedefinitionhigh="" zonebasedfiltering.zonedefinitionhighOriginal="" zonebasedfiltering.zonedefinitionlow="" zonebasedfiltering.zonedefinitionlowOriginal="" zonebasedfiltering.zonedefinitionmedium="" zonebasedfiltering.zonedefinitionmediumOriginal="" zonebasedfiltering.zonedefinitionunknown="" zonebasedfiltering.zonedefinitionunknownOriginal="" zonebasedfiltering.zonedefinitionveryhigh="" zonebasedfiltering.zonedefinitionveryhighOriginal="" />

The parameter “zonebasedfiltering.zonedefinitionOriginal” is empty. Also other parameters are not set explicitly. This is a problem: a Smart Connector expects to see both parameters “zonebasedfiltering.zonedefinition” and “zonebasedfiltering.zonedefinitionOriginal” are set to identical filter string. Whenever the Filter Out string is updated via built-in editor, only the first parameter is changed. The second parameter “zonebasedfiltering.zonedefinitionOriginal” is never touched. If Smart Connector files are not accessible directly – the only way to change an XML configuration file – edit it via the “Diagnostic Wizard”.

The procedure is very simple:

1. Click on the Connector icon and locate the “Diagnostic Wizard” button:

Diagnostic Wizard1

2. Press the “Next” button:

Diagnostic Wizard2

3. Select the “Edit a user file” option and press the “Next” button:

Diagnostic Wizard3

4. Select the “agent.properties” file from the drop-down list and press the “Next” button:

Diagnostic Wizard4

5. Locate the record “agents[0].id”:

Diagnostic Wizard5

Record (or remember) the agent ID, we need to locate the XML file with the same name on the next step.

6. Press the “Previous” button and return back to the wizard screen where we can select a file and locate the XML file with the right name:

Diagnostic Wizard6

Usually there is the only one XML file, but it is very common situation when a Container has multiple XML files (one XML file for each subagent).

Press the “Next” button.

7. Locate the “zonebasedfiltering.zonedefinition” parameter:

Diagnostic Wizard8

Oh, now we see a problem: the filter string contained encoded quotes like &quote; but the editor decoded all such special characters back to their visual representation. As the result the XML file representation is broken. If the configuration file will be saved back (without any alterations!) it will be saved in corrupted form and Smart Connector won’t be able to start. The log file will contain an error like this:

[2014-07-07 18:09:13,866][FATAL][default.com.arcsight.agent.a.k][refresh] Cannot load config file : /opt/arcsight/connector_5/current/user/agent//3inSxVkEBABCETQDfE+W7iA==.xml (Could not parse AgentConfig xml:org.xml.sax.SAXParseException: The value of attribute "Description" must not contain the '<' character.)

The only way to avoid it – retrieve the XML file in the original non-altered state, paste it to the editor, make required modifications and save it. Experimentally I find out that the Diagnostic Wizard’s editor saves the file “as is” but it decodes HTML codes during reading the file. How to retrieve the XML configuration file if there is no direct access to the file system? There is a workaround: request container logs and XML file will be part of it.

Now we have a step-by-step procedure how to properly set a Filter Out expression for a Smart Connector via Connector Appliance configuration editor:

1. Select the Smart Connector (under Container) in the left tree view;

2. Click on the “Edit runtime parameters” icon to open the configuration editor;

3. Click on “Default” link (if the Smart Connector has only “Default” configuration);

4. Locate the “Filter Out” text box under the “Filters” section;

5. Put desired expression;

6. Save the configuration;

7. Select the host in the left tree view to see list of available Container inside;

8. Check mark the Container and press the “Logs” button to generate container’s logs;

9. Select menu item “Setup -> Repositories”

10. Select “Logs” from the list of repositories;

11. Download the logs archive;

12. Extract the agent.properties, find the agent ID and extract the XML configuration file with the ID name;

13. Edit the “zonebasedfiltering.zonedefinition” and “zonebasedfiltering.zonedefinitionOriginal” parameters and make them identical;

14. Click on the “Manage” top menu item;

15. Select the Container in the left tree view;

16. Click on the Diagnostic Wizard icon;

17. Select the “Edit user file” option and then select the XML file from the list of available files;

18. Completely replace file content with the modified file content (from the step #13) and save the file (press “Save” button);

19. Container restarts automatically and filter out expression is applied.

20. Retrieve the container logs again, check the agent.log and you should see the following message: “zone filtering enabled”.

 

The workaround is too complicated, hopefully this bug will be fixed in the next Connector Appliance Patch/Release.

TAGS: , , ,

Leave a Reply

BOINC

BOINC

Ads

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Calendar

July 2014
M T W T F S S
« Nov   Oct »
 123456
78910111213
14151617181920
21222324252627
28293031  
%d bloggers like this: