ArcSight Remedy Client Integration

Summary:

This document provides a general guide for implementing the ArcSight Remedy Client in a production environment, focusing on configuration and leveraging ArcSight ESM and Flex Connectors. Key aspects include configuring the "arcremedyclient.properties" file for field mapping between ArcSight and Remedy, setting up the ArcSight Flex Connector (Regex File), creating active lists, and implementing rules. It emphasizes that all field mappings must match the Remedy Definition file for proper functionality and advises collaboration with a Remedy administrator if available. The document explains how to configure the "arcremedyclient.properties" file for field mapping between ArcSight and Remedy, including setting up the ArcSight Flex Connector (Regex File), creating active lists, and implementing rules. It also covers adjusting settings like deleting generated .xml files or changing update intervals in the client configuration. The document highlights that all field mappings must match the Remedy Definition file for proper functionality and suggests collaboration with a Remedy administrator if available. When working with Remedy during integration, it's advisable to collaborate with a Remedy administrator if one is available. This software is highly customizable and installations can vary significantly. When creating a new ticket in Remedy, it assigns a unique "RequestID" which starts at 0000000000000001 and increments by 1 with each new request. Some customers might prefer to use an "IncidentID," such as INC000000752148, generated automatically by Remedy once the ticket is created. To retrieve the "status" field from Remedy for updating case status in an ArcSight system based on exported tickets, set "remedy.downlink.field=Status" and "arcsight.downlink.attribute=stage." Ensure that mappings between the "Status" field's values and the "stage" field in ArcSight are consistent (e.g., 1. Queued to "Queued", 2. Initial to "Initial"). If a customer needs another field, like the IncidentID, set "remedy.downlink.field=incident_fieldname" and "arcsight.downlink.attribute=name." To pull back the IncidentID, configure "remedy.downlink.field=incidentID_fieldname" and ensure that it appears in the log file of the Remedy Client. The ArcSight Flex Connector for Remedy Client logs (arcremedy.log) is designed to read and parse this log file, extracting relevant information such as RequestID and IncidentID. The connector requires setting the "remedy.downlink.field" property to "incidentID_fieldname," and the Flex Connector's .properties file should be configured to map RequestID to deviceCustomString1 and IncidentID to deviceCustomString2. To implement this connector as a single line regex file reader, follow the Smart Connector installation guide for detailed steps. Additionally, create a list in ArcSight to document each ticket created, which can include any additional fields mapped by the customer based on their requirements. Finally, implement a rule to correlate the IncidentID with the RequestID as per the connector's functionality, ensuring that only non-inactive items are considered using the condition "!= NOT InActiveList."

Details:

This document outlines a general guide for implementing the ArcSight Remedy Client in a production environment, focusing on configuration and leveraging ArcSight ESM and Flex Connectors. It clarifies that this is not a step-by-step installation guide but provides an overview of key aspects including rule implementation and active list tracking. Key points include configuring the "arcremedyclient.properties" file for field mapping between ArcSight and Remedy, setting up the ArcSight Flex Connector (Regex File), creating active lists, and implementing rules. It also explains how to adjust settings like deleting generated .xml files or changing update intervals in the client configuration. The document emphasizes that all field mappings must match the Remedy Definition file for proper functionality. When working with Remedy during integration, it's advisable to collaborate with a Remedy administrator if one is available. This software is highly customizable and installations can vary significantly. When creating a new ticket in Remedy, it assigns a unique "RequestID" which starts at 0000000000000001 and increments by 1 with each new request. However, some customers might prefer to use an "IncidentID," such as INC000000752148, which is generated automatically by Remedy once the ticket is created. In general, you would use the "remedy.downlink.field" setting to retrieve the "status" field from Remedy. This helps in updating the case status in an ArcSight system based on the exported tickets. If the Remedy field for ticket status is named "Status," set it accordingly along with "arcsight.downlink.attribute=stage." Ensure that mappings between the "Status" field's values and the "stage" field in ArcSight are consistent (e.g., 1. Queued to "Queued", 2. Initial to "Initial"). If a customer needs another field, like the IncidentID, you must change the configuration by setting "remedy.downlink.field=incident_fieldname." To pull back the IncidentID, set "arcsight.downlink.attribute=name," which updates the case name to the IncidentID in Remedy. Keep in mind that this setup does not allow fetching ticket status from Remedy due to a limitation of the Remedy client. If you configure "remedy.downlink.field" to the field containing the IncidentID, it will appear in the log file of the Remedy Client. This ensures proper identification and tracking for your customers. The ArcSight Flex Connector for Remedy Client logs (arcremedy.log) is designed to read and parse this log file, extracting relevant information such as RequestID and IncidentID. The purpose of this connector is to facilitate the correlation between these IDs and their corresponding cases in ArcSight. By default, the connector uses the RequestID field for queries and updates related to Remedy tickets. However, if an IncidentID is used instead (generated once a ticket is created), a flex connector is developed to read the log file and extract both IncidentID and RequestID for better correlation. The connector requires setting the "remedy.downlink.field" property to "incidentID_fieldname", which is necessary for Remedy Client to retrieve and log the IncidentID. The Flex Connector's .properties file should be configured to map RequestID to deviceCustomString1 and IncidentID to deviceCustomString2, allowing customers to customize event field mapping if needed. To implement this connector as a single line regex file reader, follow the Smart Connector installation guide for detailed steps. Additionally, you can create a list in ArcSight to document each ticket created, which can include any additional fields mapped by the customer based on their requirements. Finally, a rule must be implemented to correlate the IncidentID with the RequestID as per the connector's functionality. The rule mentioned aims to avoid creating duplicate line entries in a ticket by ensuring that only non-inactive items are considered. It specifically checks if an item is not listed as inactive and uses the condition "!= NOT InActiveList" to exclude any entries marked as inactive from being included in the new ticket based on the flex connector fields mapped.