ArcSight SmartConnector Custom Zones Mapping

Once you have install and configure your SYSLOG ArcSight SmartConnector to communicate with your free L750MB Logger, you can customize “zones mapping” for all devices how will communicate with the SmartConnector. In CEF (Common Event Format) standard, the device zone is classified under “deviceZoneURI” and the SmartConnector zone is classified under “agentZoneURI“.

A zone represent a part of your network with contiguous IP addresses, for example LAN, DMZ, VPN, WIFI. If you customize your devices “zones mapping“, you will able to create, with your Logger, alerts, queries and reports for group of devices how are in the same zone. This will save you time 🙂

An ArcSight SmartConnector zone is represented by :

  • A starting IP address (for example : 192.168.0.15)
  • A ending IP address (for example : 192.168.0.20)
  • A zone name (for example : /All Zones/Office Zones/Printers)

The zone will be represented by this uncommented line :

192.168.0.15,192.168.0.20,/All Zones/Office Zones/Printers

In order to customize your devices “zones mapping“, you only have edit the “defaultzones.csv” file located in “$ARCSIGHT_HOME/current/user/agent/acp/” directory.

Delete the following line from the file :

#ignore.this.file <- delete this line

Then add your zones mapping, save the file and restart the SmartConnector.