Total Event in Logger and ESM are not matching

  • Document ID:KM03794786
  • Creation Date:07-Apr-2021
  • Modified Date:07-Apr-2021
    • Micro Focus Products:
      arcsight smart connectors
      arcsight enterprise security manager

Archived Content: This information is no longer maintained and is provided "as is" for your convenience.

Summary

Total Event in Logger and ESM are not matching

Error

Some of events are not visible in Active channel of ESM Console, but physically they are stored in the database and searchable of event search in Command Center. Those categories of events can be visible in the logger as well.  It can happen when receiving events from Flex Connector.

Some of events are not visible in Active channel of ESM Console, but physically they are stored in the database and searchable of event search in Command Center. Those categories of events can be visible in the logger as well.  It can happen when receiving events from Flex Connector.

Cause

The Field "session Id" is root cause of the issue. The Active Channel does not like this Field, it could be, because Active Channel uses the sessionId field internally to work out which events it should be showing for the time period it has buckets for.

Fix

The "sessionId" is NOT an Arcsight CEF field as per the guide "Micro Focus Security ArcSight Common Event Format v 2.5":
https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557
 
Sollution of this issue is to remove Field "sessionId" from outgoing events of FlexConnector (from parser properties file).