Adding Country Names to Logger

Summary:

The document outlines a method to enhance a tool called "Logger" by adding source and destination "Country Name" fields during its proof of concept (POC) phase. The author, along with Aaron Kramer, explores the limitations of SmartConnectors in tagging country codes and suggests using open source IP code mappings to add custom fields in Logger schema for more efficient country name tagging without relying solely on SmartConnectors.

Details:

The document discusses how to add source and destination "Country Name" fields to a tool called "Logger." It provides step-by-step instructions for doing this during a proof of concept (POC) phase. The author shares his findings with attachments including a PDF, charts, and maps that demonstrate the process. The document also includes a discussion thread where Aaron Kramer explains how SmartConnectors do not tag country codes but rather provide latitude and longitude data. Nicholas Hsiao questions this and asks if these connectors automatically add country names to CEF (Common Event Format) which is then sent to Logger for mapping purposes. However, Aaron clarifies that the connectors do not tag country codes directly but rather provide geographical coordinates from where the logs originate or are received. Nicholas Hsiao noticed that in ArcSight Logger, events did not have country names tagged to them after being forwarded from the SmartConnector, even though he had seen demo scripts with country codes (country names) tagging. He thought that SmartConnectors should automatically tag these country names, but found out that without specific mapping files, they do not tag for geographical information. Aaron Kramer suggested using open source IP code mappings to add custom fields in Logger schema for country name tagging, which was more efficient than just relying on the SmartConnector to tag it. They discussed this further and concluded that some events might have been tagged by ESM before being forwarded to Logger.