Smart Connector "Filter Out" issue - workaround (fixed at 6.4.0.6881.3)

Document created by AlexMuratov on Jul 8, 2014Last modified by AlexMuratov on Sep 24, 2014
Version 3Show Document
  • View in full screen mode

Important: fixed at the ConnApp 6.4 SP3 6.4.0.6881.3

 

ArcSight Smart Connectors has a very useful feature: it is possible to set up a filter to filter out unwanted events and don't send them to a destination (ESM ArcSight, Logger, etc). It works very well at the ESM ArcSight - you just need to open connector's properties, select the "Filter" tab and create a filter that will match unwanted events. See an example below. A Smart Connector re-reads configuration on regular basis and will apply a new filter within next 5 minutes.

Connector filter ESM

Things are completely different when you have Connector Appliance or there are Smart Connectors are managed via a Connector Appliance. HP/ArcSight defines some special syntax to create filter sentences. For example:

 

deviceVendor EQ "Unix" and deviceEventId EQ "1001"

 

But there is a problem, it does not work. The Smart Connector updates configuration and ... nothing happens. Events are still coming out to a destination like there is no any defined filter. What happens? It appears that the ESM ArcSight updates connector's configuration properly but the Connector Appliances does the same thing incorrectly.

 

The Connectors logs will show something like this:


[2014-06-30 12:15:59,324][ERROR][default.com.arcsight.agent.ob.g][init] com.arcsight.common.zones.parser.d: Lexical error at line 1, column 17. Encountered: "&" (38), after : "" at com.arcsight.common.zones.parser.ZoneParserTokenManager.getNextToken(ZoneParserTokenManager.java:2


Connector Appliance 6.4 (6.4.0.6661.0) or earlier is affected.

Let's take a look what is going on under the hood. Each Smart Connector has few configuration files: agent.properties and one or more XML configuration files that contain all settings like batching parameters, aggregation parameters, etc, etc. A Smart Connector actually is a container that can have few Connectors (sub-agents) and each defined Connector has an associated XML configuration file. First of all let's see where Smart Connector stores a filter out expression when it is created via ESM ArcSight.

 

./user/agent/agent.properties:

agents[0].destination[0].agentid=3W3zEHkUBABCmGqXOpqun3Q==


3W3zEHkUBABCmGqXOpqun3Q==.xml:

zonebasedfiltering.zonedefinition="deviceVendor EQ &quote;Unix&quote; And deviceEventClassId EQ &quote;1001&quote;"

zonebasedfiltering.zonedefinitionOriginal="deviceVendor EQ &quote;Unix&quote; And deviceEventClassId EQ &quote;1001&quote;" zonebasedfiltering.zonedefinitionhigh="false" zonebasedfiltering.zonedefinitionhighOriginal="false" zonebasedfiltering.zonedefinitionlow="false" zonebasedfiltering.zonedefinitionlowOriginal="false" zonebasedfiltering.zonedefinitionmedium="false" zonebasedfiltering.zonedefinitionmediumOriginal="false" zonebasedfiltering.zonedefinitionunknown="false" zonebasedfiltering.zonedefinitionunknownOriginal="false" zonebasedfiltering.zonedefinitionveryhigh="false" zonebasedfiltering.zonedefinitionveryhighOriginal="false" />


What we see: there are two identical parameters - "zonebasedfiltering.zonedefinition" and "zonebasedfiltering.zonedefinitionOriginal". Also few other parameters like zonebasedfiltering.zonedefinitionhigh are set to "false". Also quotes in the filter string was encoded to " according to HTML rules.

Let's see how the same configuration looks when we update it via Smart Connector configuration editor at the Connector Appliance:

 

zonebasedfiltering.zonedefinition="deviceVendor EQ &quote;Unix&quote; And deviceEventClassId EQ &quote;1001&quote;"

zonebasedfiltering.zonedefinitionOriginal="" zonebasedfiltering.zonedefinitionhigh="" zonebasedfiltering.zonedefinitionhighOriginal="" zonebasedfiltering.zonedefinitionlow="" zonebasedfiltering.zonedefinitionlowOriginal="" zonebasedfiltering.zonedefinitionmedium="" zonebasedfiltering.zonedefinitionmediumOriginal="" zonebasedfiltering.zonedefinitionunknown="" zonebasedfiltering.zonedefinitionunknownOriginal="" zonebasedfiltering.zonedefinitionveryhigh="" zonebasedfiltering.zonedefinitionveryhighOriginal="" />


The parameter "zonebasedfiltering.zonedefinitionOriginal" is empty. Also other parameters are not set explicitly. This is a problem: a Smart Connector expects to see both parameters "zonebasedfiltering.zonedefinition" and "zonebasedfiltering.zonedefinitionOriginal" are set to identical filter string. Whenever the Filter Out string is updated via built-in editor, only the first parameter is changed. The second parameter "zonebasedfiltering.zonedefinitionOriginal" is never touched. If Smart Connector files are not accessible directly - the only way to change an XML configuration file - edit it via the "Diagnostic Wizard".

The procedure is very simple:

1. Click on the Connector icon and locate the "Diagnostic Wizard" button:

Diagnostic Wizard1

2. Press the "Next" button:

Diagnostic Wizard2

3. Select the "Edit a user file" option and press the "Next" button:

Diagnostic Wizard3

4. Select the "agent.properties" file from the drop-down list and press the "Next" button:

Diagnostic Wizard4

5. Locate the record "agents[0].id":

Diagnostic Wizard5

Record (or remember) the agent ID, we need to locate the XML file with the same name on the next step.

6. Press the "Previous" button and return back to the wizard screen where we can select a file and locate the XML file with the right name:

Diagnostic Wizard6

Usually there is the only one XML file, but it is very common situation when a Container has multiple XML files (one XML file for each subagent).

Press the "Next" button.

7. Locate the "zonebasedfiltering.zonedefinition" parameter:

Diagnostic Wizard8

Oh, now we see a problem: the filter string contained encoded quotes like &quote; but the editor decoded all such special characters back to their visual representation. As the result the XML file representation is broken. If the configuration file will be saved back (without any alterations!) it will be saved in corrupted form and Smart Connector won't be able to start. The log file will contain an error like this:

 

[2014-07-07 18:09:13,866][FATAL][default.com.arcsight.agent.a.k][refresh] Cannot load config file : /opt/arcsight/connector_5/current/user/agent//3inSxVkEBABCETQDfE+W7iA==.xml (Could not parse AgentConfig xml:org.xml.sax.SAXParseException: The value of attribute "Description" must not contain the '<' character.)


The only way to avoid it - retrieve the XML file in the original non-altered state, paste it to the editor, make required modifications and save it. Experimentally I find out that the Diagnostic Wizard's editor saves the file "as is" but it decodes HTML codes during reading the file. How to retrieve the XML configuration file if there is no direct access to the file system? There is a workaround: request container logs and XML file will be part of it.

Now we have a step-by-step procedure how to properly set a Filter Out expression for a Smart Connector via Connector Appliance configuration editor:

  1. Select the Smart Connector (under Container) in the left tree view;
  2. Click on the "Edit runtime parameters" icon to open the configuration editor;
  3. Click on "Default" link (if the Smart Connector has only "Default" configuration);
  4. Locate the "Filter Out" text box under the "Filters" section;
  5. Put desired expression;
  6. Save the configuration;
  7. Select the host in the left tree view to see list of available Container inside;
  8. Check mark the Container and press the "Logs" button to generate container's logs;
  9. Select menu item "Setup -> Repositories"
  10. Select "Logs" from the list of repositories;
  11. Download the logs archive;
  12. Extract the agent.properties, find the agent ID and extract the XML configuration file with the ID name;
  13. Edit the "zonebasedfiltering.zonedefinition" and "zonebasedfiltering.zonedefinitionOriginal" parameters and make them identical;
  14. Click on the "Manage" top menu item;
  15. Select the Container in the left tree view;
  16. Click on the Diagnostic Wizard icon;
  17. Select the "Edit user file" option and then select the XML file from the list of available files;
  18. Completely replace file content with the modified file content (from the step #13) and save the file (press "Save" button);
  19. Container restarts automatically and filter out expression is applied.
  20. Retrieve the container logs again, check the agent.log and you should see the following message: "zone filtering enabled".

 

The latest version 6.4 SP3 (6.41) of the ConnApp fixed this issue. Consider upgrade ASAP if it is was not done yet.

 

Original article: http://www.infosec.pro/2014/07/08/smart-connector-filter-out-issue/

3 people found this helpful

Attachments

    Outcomes