When the ArcSight SmartConnector has been installed and configured to collect Centrify logs, the logs must be parsed and categorized using a customized Centrify FlexConnector. This FlexConnector contains two files for each Windows and Linux platform: a Parser and a Categorizer. You must place these files at specific locations depending on the operating system (OS) that you are using. Refer to the section below that applies to your OS.
Windows Application Logs
The two files needed for parsing and categorizing Windows application logs are in the folder:
Centrify_windows_flexconnector:
-
The Categorizer file is:
centrify_suite.csv -
The Parser file is
: application.centrify_audittrail_v2.sdkkeyvaluefilereader.properties
To configure the Application logs for Windows:
-
Paste the Categorizer file,
centrify_suite.csv, into the target location:$ARCSIGHT_HOME\current\user\agent\acp\categorizer\current\centrify\ -
Paste the Parser file:
application.centrify_audittrail_v2.sdkkeyvaluefilereader.propertiesinto the target location for your OS, as indicated by the following table:
|
Microsoft OS Version |
Parser File Location |
|---|---|
|
$ARCSIGHT_HOME\user\agent\fcp\windowsfg\windows_2008 |
|
$ARCSIGHT_HOME\user\agent\fcp\windowsfg\windows_2012 |
|
$ARCSIGHT_HOME\user\agent\fcp\windowsfg\windows_2016 |
-
Restart the SmartConnector service from the Windows Services.
Linux Syslogs
The two files needed for parsing and categorizing the Linux syslog are in the folder:
Centrify_linux_flexconnector
The two files are:
-
Categorizer file:
centrify_suite.csv -
Parser file
:centrify.subagent.sdkrfilereader.properties
To configure syslogs for Linux:
-
Paste the Categorizer file,
centrify_suite.csv, into the target location:$ARCSIGHT_HOME/current/user/agent/acp/categorizer/current/Centrify/
-
Paste the Parser file,
centrify.subagent.sdkrfilereader.properties, into the target location,$ARCSIGHT_HOME/user/agent/flexagent/syslog/, regardless of the Linux version. -
Restart the SmartConnector service from
/etc/init.d
Doc Feedback