We recently discovered that the native parser for RSA ClearTrust has a typo in it for the timestamp definition... it uses lowercase "m" for both the month and minute in the timestamp, so the month is always wrong in deviceReceiptTime, endTime, etc. As a workaround until ArcSight resolves this issue in a future connector release I have created a parser override (attached).
To use this override:
- Go to the ../current/user/agent/ folder and create a subfolder called "cleartrust_file"
- Place this file (the parser override) into the newly created "cleartrust_file" folder
- Restart the connector
That's all there is to it.