Configuring FlexConnector for Data Normalization and Categorization

When the ArcSight SmartConnector has been installed and configured to collect
Centrify logs, the logs must be parsed and categorized using a customized
Centrify FlexConnector. This FlexConnector contains two files for each Windows
and Linux platform: a Parser and a Categorizer. You must place these files at
specific locations depending on the operating system (OS) that you are using.
Refer to the section below that applies to your OS.

Windows Application Logs

Windows Application Logs

The two files needed for parsing and categorizing Windows application logs are
in the folder:

Centrify_windows_flexconnector:

  • The Categorizer file is: centrify_suite.csv

  • The Parser file is: application.centrify_audittrail_v2.sdkkeyvaluefilereader.properties

To configure the Application logs for Windows:

  1. Paste the Categorizer file, centrify_suite.csv, into the target location: $ARCSIGHT_HOME\current\user\agent\acp\categorizer\current\centrify\

  2. Paste the Parser file: application.centrify_audittrail_v2.sdkkeyvaluefilereader.properties into the target location for your OS, as indicated by the following table:

    Microsoft OS Version

    Parser File Location

    Windows Server 2008 R2Windows 7 SP1

    $ARCSIGHT_HOME\user\agent\fcp\windowsfg\windows_2008

    Windows Server 2012Windows Server 2012 R2 Windows 8

    $ARCSIGHT_HOME\user\agent\fcp\windowsfg\windows_2012

    Windows Server 2016Windows 10

    $ARCSIGHT_HOME\user\agent\fcp\windowsfg\windows_2016

    |

  3. Restart the SmartConnector service from the Windows Services

Linux Syslogs

The two files needed for parsing and categorizing the Linux syslog are in the
folder:

Centrify_linux_flexconnector

The two files are:

  • Categorizer file: centrify_suite.csv

  • Parser file:centrify.subagent.sdkrfilereader.properties

To configure syslogs for Linux:

  1. Paste the Categorizer file, centrify_suite.csv, into the target location: $ARCSIGHT_HOME/current/user/agent/acp/categorizer/current/Centrify/

  2. Paste the Parser file, centrify.subagent.sdkrfilereader.properties, into the target location, $ARCSIGHT_HOME/user/agent/flexagent/syslog/, regardless of the Linux version.

  3. Restart the SmartConnector service from /etc/init.d