Scribd
Upload
33 views

AssetModelImportConn DevGuide

The document provides guidance on installing and configuring the Asset Model Import FlexConnector to import asset model data from CSV files into the ArcSight ESM network model. It describes prerequisites including having ESM installed, the connector install process, how to configure the connector including creating a parser from a template, and how to import asset data initially and monitor for updates. It also provides details on the supported CSV file attributes for assets and examples of the CSV format and a parser template.

Uploaded by

Quang Trung
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
33 views

AssetModelImportConn DevGuide

The document provides guidance on installing and configuring the Asset Model Import FlexConnector to import asset model data from CSV files into the ArcSight ESM network model. It describes prerequisites including having ESM installed, the connector install process, how to configure the connector including creating a parser from a template, and how to import asset data initially and monitor for updates. It also provides details on the supported CSV file attributes for assets and examples of the CSV format and a parser template.

Uploaded by

Quang Trung
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Micro Focus Security

ArcSight ESM
Software Version: 7.6

Asset Model Import FlexConnector


Developer's Guide

Document Release Date: December 2021


Software Release Date: December 2021
Asset Model Import FlexConnector Developer's Guide

Legal Notices
Copyright Notice
© Copyright 2001-2021 Micro Focus or one of its affiliates
Confidential computer software. Valid license from Micro Focus required for possession, use or copying. The
information contained herein is subject to change without notice.
The only warranties for Micro Focus products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.
No portion of this product's documentation may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose other
than the purchaser's internal use, without the express written permission of Micro Focus.
Notwithstanding anything to the contrary in your license agreement for Micro Focus ArcSight software, you may
reverse engineer and modify certain open source components of the software in accordance with the license terms for
those particular components. See below for the applicable terms.
U.S. Governmental Rights. For purposes of your license to Micro Focus ArcSight software, “commercial computer
software” is defined at FAR 2.101. If acquired by or on behalf of a civilian agency, the U.S. Government acquires this
commercial computer software and/or commercial computer software documentation and other technical data subject
to the terms of the Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the
Federal Acquisition Regulation (“FAR”) and its successors. If acquired by or on behalf of any agency within the
Department of Defense (“DOD”), the U.S. Government acquires this commercial computer software and/or commercial
computer software documentation subject to the terms of the Agreement as specified in 48 C.F.R. 227.7202-3 of the
DOD FAR Supplement (“DFARS”) and its successors. This U.S. Government Rights Section 18.11 is in lieu of, and
supersedes, any other FAR, DFARS, or other clause or provision that addresses government rights in computer software
or technical data.

Trademark Notices
Adobe™ is a trademark of Adobe Systems Incorporated.
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.
UNIX® is a registered trademark of The Open Group.

Support
Contact Information
Phone A list of phone numbers is available on the Technical Support
Page: https://softwaresupport.softwaregrp.com/support-contact-information

Support Web Site https://softwaresupport.softwaregrp.com/

ArcSight Product Documentation https://community.softwaregrp.com/t5/ArcSight-Product-Documentation/ct-p/productdocs

Micro Focus ESM (7.6) Page 2 of 15


Contents
Chapter 1: Overview 4
Assumptions 4

Chapter 2: Asset Model Import FlexConnector CSV File Attributes 5

Chapter 3: Installing and Configuring the Asset Model Import FlexConnector 6


Prerequisites 6
Installing the Asset Model Import FlexConnector 6
Configuring the Asset Model Import FlexConnector 7
Running SmartConnectors 8
Set the Model Import User 9
CSV Format and Parser Example 10
Default CSV Format 10
Parser Example and Template 11
CSV File Attributes 13
Reloading Asset Model Data 14

Send Documentation Feedback 15

Page 3 of 15
Chapter 1: Overview
The Asset Model Import FlexConnector enables you to develop a model import connector to
import the asset model data from a file, so you can create and maintain ESM Network Model
data, and keep this data in sync with the data in your Asset Management system. Based on
configuration, files are read by the connector, and converted to XML based on parser
attributes. Upon generation, the XML files are automatically transferred by the connector to
the ESM server.

Note: CSV is the only file format supported.

You configure the connector using the SmartConnector Configuration Wizard. Also, you must
create parser files from the provided template that match the format of the CSV files.
The connector supports two modes of operation:
l Initial read and import
l Ongoing detection and import of updates
During the initial read and import for attributes specified in the CSV files, the connector can
import a full set or subset of attributes for each asset based on CSV file content and
corresponding matching parser configuration.
After the information is imported into ESM, the list of attributes the connector sends to ESM
for existing assets is not updated. If you add or remove attributes to be sent to ESM from the
connector after you import the asset data, you will not get a history of the new attributes.
Updates will only be from the point of time the attributes were added. If you want a history of
the added attributes, re-import the asset data.

Assumptions
You should be familiar with writing a parser for Log File FlexConnector. Refer to the
FlexConnector Developer's Guide for more information about writing a parser.

Chapter 1: Overview Page 4 of 15


Chapter 2: Asset Model Import
FlexConnector CSV File Attributes
The following table lists the CSV file attributes for the Asset Model in ESM. In order to work
with these attributes, you should be familiar with the ESM Asset Model. See the ArcSight
Console User’s Guide, topics “Modeling the Network” and “Asset Model”.

Attribute Description

Inactive Use to disable an asset.


Asset

Inactive The reason the asset was inactivated (disabled).


Reason

Name The asset’s friendly name. This field can default to the asset’s host name or IP address. This name is
listed in the Asset tree in ESM.

IP Address The asset’s IP address, in dotted-decimal notation.

MAC Address The unique hardware ID for the network device.

Host Name The asset’s DNS name.

External ID The asset’s user-defined identifier.

Alias The asset’s display name. If an alias is not specified, the asset name is used. Typically used in a
localized environment to display the asset name in the local language.

Parent The URI of the asset’s immediate parent group in the hierarchy, based on ESM’s Asset tree. For
Group example, /All Assets/Customer A/.

Old Parent Used only to move one asset from one group to another. Is the URI of the source group for the
Group asset.

Description The asset’s text description.

Zone As described in Assets and Changing Assets. Specify the Zone URI of the Asset, as shown in the in
ESM Zones tree.

Location The asset’s specified location.

Category The URI of the category to which the asset belongs. An asset can belong to more than one category.
Assets can be categorized based on business use, criticality, applications, hardware, operating
system, or other criteria. If a category does not exist, it is automatically created for the asset. For
example, for the category Criticality, an asset can belong to the category High (with the Criticality
categories of High, Medium, and Low).

Chapter 2: Asset Model Import FlexConnector CSV File Attributes Page 5 of 15


Chapter 3: Installing and Configuring the
Asset Model Import FlexConnector
This chapter provides information about the prerequisites, installation and configuration of the
Asset Model Import FlexConnector.

Prerequisites
Before installing the Asset Model Import FlexConnector, the following prerequisites must be
met:
l Ensure that ESM and the Console are installed. For more information, see the ArcSight ESM
Installation and Configuration Guide.
l Local access to the machine where the Asset Model Import FlexConnector is to be installed
and administrator privileges to that machine.
l A minimum of 256 MB of memory and 3 GB of available hard disk space on the host
machine.
l Start the Manager. The command prompt window or terminal box displays a Ready
message when the Manager starts successfully. Monitor the server.std.log file located
in $ARCSIGHT_HOME\logs\default. Although not required, it is helpful to have the Console
running when installing the Asset Model Import FlexConnector to verify a successful
installation.
l Zones must have been created in ESM to use with the assets, using the Network Modeling
Wizard in the ArcSight Console. If the zones are not created, assets are not assigned to
zones, and the zone information for the asset is ignored.
l ArcSight ESM must be up and running to configure the Asset Model Import FlexConnector.

Installing the Asset Model Import FlexConnector


This section provides instructions on how to install the Asset Model Import FlexConnector.

Note:
l Use a non-root account to install the Asset Model Import FlexConnector.
l Do not store your parser files in the same folder as the connector installation files.

1. Using the log-in credentials supplied to you by ArcSight, download the Asset Model Import
FlexConnector installation executable file from the software support site to the machine
where the connector will run.

Chapter 3: Installing and Configuring the Asset Model Import FlexConnector Page 6 of 15
Asset Model Import FlexConnector Developer's Guide
Chapter 3: Installing and Configuring the Asset Model Import FlexConnector

2. Place the executable file in a directory.


3. Run the executable file to start the installer.
4. Follow the installation wizard through the following folder selection tasks and installation
of the core connector software:
l Introduction
l Choose Install Folder
l Choose Shortcut Folder
l Pre-Installation Summary
l Installing...

Configuring the Asset Model Import


FlexConnector
This section provides information about configuring the Asset Model Import FlexConnector.
After installation completes, the SmartConnector Configuration Wizard displays.

Note: The options for FIPS and remote management are not applicable at this time when “Set
Global Parameters” is selected for this connector.

1. Select Add a Connector. Click Next.


2. See Modifying Connector Settings in the SmartConnector User Guide for setting preferred
IP version.
3. Asset Model Import FlexConnector for File is already selected. Click Next.
4. Enter devices details, which are the folder locations and parser names. Click Add to add
folder locations for folders containing the CSV log files and the associated parsers.
Field Description

Folder Enter the complete path to the folder containing the CSV log files. Each folder must contain CSV
Location files of the same format, and associated with the same parser.

Parser File Enter the name of the parser associated with the specific CSV folder. The parser must match for
Name the format of the CSV file. You can create a different parser format for each folder configured.

Use Import and Export to copy the list of folders and parsers to or from a spreadsheet if
needed. Click Next.
5. In the destination type window, verify that ArcSight Manager (encrypted) is selected and
click Next.

Configuring the Asset Model Import FlexConnector Page 7 of 15


Asset Model Import FlexConnector Developer's Guide
Chapter 3: Installing and Configuring the Asset Model Import FlexConnector

Note: When selecting destinations for the Asset Model Import FlexConnector, select
ArcSight Manager (encrypted) only. No other destinations are supported.

6. Enter destination parameters, including the host and port information, and click Next.
Parameter Description

Manager Host Enter the name of the host on which the Manager is installed.
Name

Manager Port Enter the network port from which the Manager is accepting requests. The default port is
8443.

User Name Enter a valid ArcSight user name to log in to configure the SmartConnector. This is the same
user name you created during the Manager installation.

Password Enter a valid ArcSight password to log in to configure the SmartConnector. This is the same
password you created during the Manager installation.

AUP Master Select true or false.


Destination

Filter Out All Select true or false.


Events

Enable Demo Select true or false.


CA

7. Enter connector details. Enter a name for the SmartConnector and provide other
information identifying the connector’s use in your environment. Click Next.
8. Select whether to import a certificate. Click Next.
9. Read the SmartConnector summary and click Next. If the summary is incorrect, click
Previous and make changes.
10. The Wizard now prompts you to choose whether you want to run the SmartConnector as a
process or as a service. If you choose to run the SmartConnector as a service, the Wizard
prompts you to define service parameters for the SmartConnector. Click Next. The Wizard
displays a dialog confirming the SmartConnector’s configuration.
11. Choose Exit and click Next.
12. Click Done.
A parser example that you can use as is or use as a template is created during the configuration
process is located at: $ARCSIGHT_HOME\user\agent\flexagent\mic\asset_flexfile\.

Running SmartConnectors
SmartConnectors can be installed and run in standalone mode, on Windows platforms as a
Windows service, or on UNIX platforms as a UNIX daemon, depending upon the platform

Running SmartConnectors Page 8 of 15


Asset Model Import FlexConnector Developer's Guide
Chapter 3: Installing and Configuring the Asset Model Import FlexConnector

supported.

Note :

Create the service


Log in as Root user on Linux:
$ARCSIGHT_HOME/current/bin/arcsight agentsvc -i -u user

Note: "user" indicates the non-root user that you installed the MIC with. This is usually the
"arcsight" user.
Start the service
cd /etc/init.d

./arc_model_asset_flexfile start

On Windows platforms, SmartConnectors also can be run using shortcuts and optional Start
menu entries.
If installed standalone, the SmartConnector must be started manually, and is not automatically
active when a host is re-started. For Windows, you will have to start the Service manually using
Windows "Services". If installed as a service or daemon, the SmartConnector runs
automatically when the host is re-started. For information about connectors running as
services or daemons, see the ArcSight SmartConnector User's Guide.
For connectors installed standalone, to run all installed SmartConnectors on a particular host,
open a command window, go to $ARCSIGHT_HOME\current\bin and run: arcsight agents
To view the SmartConnector log, read the file:
$ARCSIGHT_HOME\current\logs\agent.log

To stop all SmartConnectors, enter Ctrl+C in the command window.

Set the Model Import User


After installing, configuring, and starting the connector, from the ArcSight Console set the
Model Import User for the connector (this must be a user with Console administrative
privileges). Setting the user links the user to the assets, and that user is then treated as the
“creator” of the assets. The connector is then run on that user’s behalf.
1. From the ArcSight Console, go to the Navigator panel and choose the Resources tab.
2. Under Resources, choose the Connectors resource.
3. Under All Connectors, navigate to your Asset Model Import FlexConnector.
4. Right click on the connector and select Configure.

Set the Model Import User Page 9 of 15


Asset Model Import FlexConnector Developer's Guide
Chapter 3: Installing and Configuring the Asset Model Import FlexConnector

5. On the Inspect/Edit panel and choose the Connector tab.


6. Under the Connector tab, go to Model Import User and select a user from the
Administrators group.
7. Click OK.

CSV Format and Parser Example


The following is an example of the CSV format. Each line of the CSV file represents one asset.

Note: If you want categories to be created automatically on the ESM server side, the property
archive.import.asset.category.auto.create must be set to true in the server.properties
property file. See the ArcSight Console User’s Guide, “Asset Model”, for details on working with
assets. See the ESM Administrator’s Guide, “Editing Properties Files”, for details on how to edit a
properties file.

Default CSV Format


By default, the parser supports the following CSV format:
Action,InactiveAsset*,InactiveReason,AssetName,Ip,Mac,HostName,ExternalId,Alia
s,ParentGroupUri,OldParentGroupUri,AssetDescription,ZoneUri,LocationUri,AssetC
ategory

*the asset can be inactive or active based on the value passed (true or false) to enable or
disable the asset
An example of a CSV file:
addAsset,,,asset_1,199.199.0.1,00:11:22:33:44:51,myhostname_1,myexternalid_
1,myalias_1,myparentgroupuri_
1,,myassetdesc,myzoneuri,mylocationuri,myassetcategory

Where AssetCategory can be multiple categories separated by ";" and Action can be one of the
following:
l addAsset: Creates an asset
l updateAsset: Update an existing asset on the server. The server will update asset
attributes and merge categories.
l removeAsset: Removes the asset
l addCategory: Assigns one or more categories, separated by a semi-colon (;)
l removeCategory: Removes one or more categories, separated by a semi-colon (;)

CSV Format and Parser Example Page 10 of 15


Asset Model Import FlexConnector Developer's Guide
Chapter 3: Installing and Configuring the Asset Model Import FlexConnector

l addZone: Assigns a zone. An asset can belong to one zone only. If an asset belongs to a
zone, the newly-added zone will replace the existing zone. Do not add assets from more
than one zone in a CSV file. Generate separate CSV files to contain assets from different
zones.
l removeZone: Removes the asset from a zone.
l moveAsset: Removes the asset from the existing parent group and associates it with the
new parent group.

Note: The connector does not validate the data in the CSV file or in the XML archive. The
archive can fail processing based on existing edit checks in ESM.

Parser Example and Template


You create parser files to match the format of your CSV files. This example is provided to help
you create your own parser files.
comments.start.with=#

delimiter=,

token.count=15

token[0].name=Action

token[0].type=String

token[1].name=Inactive

token[1].type=String

token[2].name=InactiveReason

token[2].type=String

token[3].name=AssetName

token[3].type=String

token[4].name=Ip

token[4].type=String

token[5].name=Mac

token[5].type=String

Parser Example and Template Page 11 of 15


Asset Model Import FlexConnector Developer's Guide
Chapter 3: Installing and Configuring the Asset Model Import FlexConnector

token[6].name=HostName

token[6].type=String

token[7].name=ExternalId

token[7].type=String

token[8].name=Alias

token[8].type=String

token[9].name=ParentGroupUri

token[9].type=String

token[10].name=OldParentGroupUri

token[10].type=String

token[11].name=AssetDescription

token[11].type=String

token[12].name=ZoneUri

token[12].type=String

token[13].name=LocationUri

token[13].type=String

token[14].name=AssetCategory

token[14].type=String

###keep these 7 fields unchanged###

additionaldata.enabled=true

additionaldata.duplicate.keys.allowed=false

event.deviceEventCategory=__stringConstant(Asset)

event.deviceCustomString1Label=__stringConstant(model.sender)

Parser Example and Template Page 12 of 15


Asset Model Import FlexConnector Developer's Guide
Chapter 3: Installing and Configuring the Asset Model Import FlexConnector

event.deviceCustomString1=__stringConstant(flexcsv)

event.deviceCustomString2Label=__stringConstant(model.template)

event.deviceCustomString2=__stringConstant(mic/asset_flexcsv/asset.vm)

###field mappings###

event.deviceVendor=__getVendor(CSV File)

event.deviceProduct=__stringConstant(Assets)

event.deviceAction=Action

additionaldata.Action=Action

event.externalId=ExternalId

event.flexString1=AssetName

#following mappings maybe removed in future but required for now

additionaldata.UniqueUserId=AssetName

event.destinationUserId=AssetName

CSV File Attributes


Attribute Description

Action Defines the action you can take. See "Default CSV Format" on page 10 for details on
possible actions.

InactiveAsset Use to disable an asset.

InactiveReason The reason the asset was inactivated (disabled).

AssetName The asset’s friendly name. This field can default to the asset’s host name or IP address. This
name is listed in the Asset tree in ESM.

IP The asset’s IP address, in dotted-decimal notation.

CSV File Attributes Page 13 of 15


Asset Model Import FlexConnector Developer's Guide
Chapter 3: Installing and Configuring the Asset Model Import FlexConnector

Attribute Description

MAC The unique hardware ID for the network device.

HostName The asset’s DNS name.

ExternalID The asset’s user-defined identifier.

Alias The asset’s display name. If an alias is not specified, the asset name is used. Typically used
in a localized environment to display the asset name in the local language.

ParentGroupUri The URI of the asset’s immediate parent group in the hierarchy, based on the Console’s
Asset tree. For example, “/All Assets/Customer A/”.

OldParentGroupUri Used only to move one asset from one group to another. Is the URI of the source group for
the asset.

AssetDescription The asset’s text description.

ZoneUri As described in Assets and Changing Assets. Specify the Zone URI of the Asset, as shown in
the in ESM Zones tree.

LocationUri The asset’s specified location.

AssetCategory The URI of the category to which the asset belongs. An asset can belong to more than one
category. Assets can be categorized based on business use, criticality, applications,
hardware, operating system, or other criteria. If a category does not exist, it is automatically
created for the asset. For example, for the category Criticality, an asset can belong to the
category High (with the Criticality categories of High, Medium, and Low).

Reloading Asset Model Data


A redeployment, reconfiguration, or mistaken deletion of attributes of your ESM structure may
require reloading all asset data. Use the following procedure to reload asset data:
1. Stop the connector if running.
2. From the ArcSight Console, go to the Navigator panel and choose the Resources tab.
3. Under Resources, choose the Asset tab.
4. Under All Assets, go to the top level directory. Identify the folders you need to delete in
order to be able to reload asset model data for the connector.

Note: Be sure not to delete all asset folders. Some asset folders are default folders supplied
by ESM. Delete only the asset data managed by this connector.

Highlight the asset folder you need to delete, then right-click and choose Delete Group
from the menu.
5. On the connector side, reconstitute the asset data by recopying it from its original source,
or renaming the backup files to their original file names.

Reloading Asset Model Data Page 14 of 15


Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by
email. If an email client is configured on this computer, click the link above and an email
window opens with the following information in the subject line:
Feedback on Asset Model Import FlexConnector Developer's Guide (ESM 7.6)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail
client, and send your feedback to [email protected].
We appreciate your feedback!

Send Documentation Feedback Page 15 of 15

You might also like