ArcSight SmartConnector Custom Zones Mapping
Once you have install and configure your SYSLOG ArcSight SmartConnector to communicate with your free L750MB Logger, you can customize “zones mapping” for all devices how will communicate with the SmartConnector. In CEF (Common Event Format) standard, the device zone is classified under “deviceZoneURI” and the SmartConnector zone is classified under “agentZoneURI“.
A zone represent a part of your network with contiguous IP addresses, for example LAN, DMZ, VPN, WIFI. If you customize your devices “zones mapping“, you will able to create, with your Logger, alerts, queries and reports for group of devices how are in the same zone. This will save you time
An ArcSight SmartConnector zone is represented by :
- A starting IP address (for example : 192.168.0.15)
- A ending IP address (for example : 192.168.0.20)
- A zone name (for example : /All Zones/Office Zones/Printers)
The zone will be represented by this uncommented line :
192.168.0.15,192.168.0.20,/All Zones/Office Zones/Printers
In order to customize your devices “zones mapping“, you only have edit the “defaultzones.csv” file located in “$ARCSIGHT_HOME/current/user/agent/acp/” directory.
Delete the following line from the file :
#ignore.this.file <- delete this line
Then add your zones mapping, save the file and restart the SmartConnector.
I recommend you to read these related posts
- ArcSight Logger L750MB – Syslog SmartConnector and Snare installation
- ArcSight Logger and SmartConnectors Questions and Answers
- ArcSight SmartConnector Configuration User Guide – Part 1
- ArcSight SmartConnectors Disk Size and Memory Requirements
- ArcSight SmartConnectors silent mass upgrade
- ArcSight SmartConnector commands and features
- ArcSight Cisco IOS SmartConnector installation with Dynamips and Dynagen
- ArcSight SmartConnectors silent mass installation
- ArcSight Logger File Receiver Configuration
- Cisco Smart Business Architecture (SBA) guides for SIEM solutions integration