Recently I find out a situation when some device puts time stamps using the GMT time zone. It could be easily fixed by changing connector settings. But here is a problem again – settings are global, so it will fix time stamps for this device and will broke time stamps for all other device. The only solution that I found – create a small plugin that is looking for particular deviceVendor value and fix the time accordingly. See the code below:
package plugins.esm.alex; import java.util.Iterator; import java.util.List; import java.util.Calendar; import java.util.TimeZone; import java.util.GregorianCalendar; import com.arcsight.event.ISecurityEvent; import com.arcsight.product.manager.extension.event.api.ICustomEventHandler; import com.arcsight.event.DeviceDescriptor; public class FireEyeTimeCorHandler implements ICustomEventHandler { @Override public void onPostPersist(List<ISecurityEvent> arg0) { // TODO Auto-generated method stub } @Override public void onPrePersist(List<ISecurityEvent> events) { for(Iterator<ISecurityEvent>i = events.iterator(); i.hasNext();) { ISecurityEvent event = i.next(); String vendor = ""; DeviceDescriptor ds = event.getDevice(); if(ds != null) vendor = ds.getVendor(); if(vendor.equals("Your device vendor")) { long endTime = event.getEndTime(); //this time is GMT, convert to current time zone // Get TimeZone of user TimeZone currentTimeZone = Calendar.getInstance().getTimeZone(); Calendar currentDt = new GregorianCalendar( currentTimeZone); // Get the Offset from GMT taking DST into account int gmtOffset = currentTimeZone.getOffset( currentDt.get(Calendar.ERA), currentDt.get(Calendar.YEAR), currentDt.get(Calendar.MONTH), currentDt.get(Calendar.DAY_OF_MONTH), currentDt.get(Calendar.DAY_OF_WEEK), currentDt.get(Calendar.MILLISECOND)); event.setEndTime(endTime+gmtOffset); } } } }
Thanks for sharing this with us Alex, very interesting example of what can be achieved with an ESM plugin. Is there any chance you could provide some hint on how to write a plugin in order to populate an activelist with data contained in an event ? This would be extremely useful to import data into active list without having to create a specific rule.
Gaetan
Gaetan, thank you for your question.
You are not the first person who asks me about it 🙂
Unfortunately I don’t know yet, but I do know that ArcSight Professional service implements it and recently I got some clues how to do it. As soon as I will have a working sample, I am going to publish it.
regards,
Alex.