SCX MultiDB FlexConnector

Summary:

This document outlines the setup and configuration details for a Multi-Database Flex Connector within an ArcSight system, specifically designed for querying data from a MySQL database hosted at 192.168.1.35 using the JDBC URL jdbc:mysql://192.168.1.35:3306/securonix_arc. The connector is configured with the following details: - **Database Driver**: com.mysql.jdbc.Driver - **JAR File**: mysql-connector-java-5.1.26.jar, located at C:\ArcSight\Connectors\FlexDB\current\user\agent\lib - **Connection URL**: jdbc:mysql://192.168.1.35:3306/securonix_arc - **Database Credentials**: DB user is set as root/$ecurity.4u - **Properties Files**: .sdkidatabase.properties files are copied to specific directories for identity and risk management at C:\ArcSight\Connectors\multidb\current\user\agent\flexagent\identity\ and C:\ArcSight\Connectors\multidb\current\user\agent\flexagent\risk\. - **Field Limitation**: Active lists have a limitation of 20 fields, and certain fields might not be available due to categorization limitations. - **Database Queries**: - Retrieves user information including id, firstname, lastname, department, division, location, manageremployeeid, workemail, workphone, title, and employeetype from the table users in securonix_arc database. - Fetches peer group details including name, type, and member information by querying specific tables linked through foreign keys. - **Files and Resources**: Various files such as ARB (Asset Review Browser), Flex Connector setup files, sample events, and replay scripts are mentioned. - **Rule Configuration**: The rule is configured to update lists based on successful login by terminated users, utilizing a lightweight rule equivalence since it primarily serves updating purposes rather than generating new events. Additionally, the document addresses issues related to managing event streams in ArcSight 6.x, including: 1. Event suppression involves adding the rule generator ID to the Blocked ArcSight Internal Events filter for suppressing events from firing. 2. Documentation and enhancements are suggested for both Multi-DB connector settings and identity query/sdkidatabase.properties. 3. Adjustments in SQL queries and data handling mechanisms were necessary due to incorrect data types specified for fields, which was resolved by using a method like __safeToLong(field). 4. The error log mentions fatal exceptions during query execution related to parameter index out of range or treating tokens as long values when they should be numbers.

Details:

The provided text outlines the configuration and setup details for a "Flex Connector" in the context of an ArcSight system. Here's a summary of the key points: 1. **Connector Type**: It refers to a "Multi-Database Flex Connector" which is configured with specific database settings. 2. **Version and Path**: The agent framework version used is <6.0.7.6901.0>

, and the path for the connector setup is at `C:\ArcSight\Connectors\FlexDB\current\user\agent\flexagent\scx`. 3. **Database Configuration**:

• **Driver**: The database driver used is `com.mysql.jdbc.Driver`.

• **JAR File**: A specific MySQL connector JAR file (`mysql-connector-java-5.1.26.jar`) located at `C:\ArcSight\Connectors\FlexDB\current\user\agent\lib` is used.

• **Connection URL**: The connection to the database is established via `jdbc:mysql://192.168.1.35:3306/securonix_arc`.

• **Database Credentials**: The DB user is set as `root/$ecurity.4u`.

4. **Properties Files**: `.sdkidatabase.properties` files need to be copied to a specific directory for identity and risk management, located at `C:\ArcSight\Connectors\multidb\current\user\agent\flexagent\identity\` and `C:\ArcSight\Connectors\multidb\current\user\agent\flexagent\risk\`. 5. **Field Limitation**: Active lists have a limitation of 20 fields, and certain fields (blue and yellow marked) might not be available in some content due to categorization limitations. 6. **Database Queries**:

• **Active Directory Query**: Retrieves user information from the database using complex joins to fetch `accountname` and `accessvaluel1`.

• **Peer Group Query**: Fetches peer group details including name, type, and member information by querying specific tables linked through foreign keys.

7. **Files and Resources**:

• Various files such as ARB (Asset Review Browser), Flex Connector setup files, sample events, and replay scripts are mentioned.

• Specific rules and objects like "Login by Terminated Account" using the Securonix Database Flex Connector and related user information events are discussed.

8. **Rule Configuration**: The rule is configured to update lists based on successful login by terminated users, utilizing a lightweight rule equivalence since it primarily serves updating purposes rather than generating new events. This setup is designed for managing complex data queries and updates within an ArcSight environment using the specified Flex Connector, tailored for Securonix database interactions. The provided text outlines a series of tasks and processes related to managing and updating the ArcSight event stream in version 6.x, as well as addressing specific development errors encountered during implementation. Here's a summary of key points: 1. **Event Suppression**: In ArcSight 6.x, rules for updating active lists can be set as "lightweight." To suppress events from firing, add the rule generator ID to the Blocked ArcSight Internal Events filter. This involves finding the specific rule and obtaining its resource ID, then adding this ID to the filter. 2. **Documentation and Enhancements**: Update documentation related to both the Multi-DB connector and identity query/sdkidatabase.properties settings. Additionally, enhance the AD (Active Directory) active lists by creating user, group, and computer lists, configuring rules for these lists, and ensuring proper querying mechanisms are in place. 3. **Event Values Data Type Issues**: There were issues with event values not being parsed correctly due to incorrect data types specified for fields like score and deviceCustomFloatingPoint1. These errors required specific SQL queries and adjustments such as granting MySQL privileges to a remote IP address, which should resolve the floating-point number casting issue. 4. **Query Processing Errors**: The text also mentions fatal exceptions during query execution due to parameter index out of range or treating tokens as long values when they were expected to be numbers. These errors necessitate adjustments in SQL queries and data handling mechanisms within ArcSight. This summary provides a structured overview of the tasks involved in managing an event stream using ArcSight 6.x, including troubleshooting steps for specific implementation issues. The log summary describes an operation related to querying data from a MySQL database hosted at 192.168.1.35 using the JDBC URL jdbc:mysql://192.168.1.35:3306/securonix_arc. The query is intended to retrieve user information including fields such as id, firstname, lastname, department, division, location, manageremployeeid, workemail, workphone, title, and employeetype from the table users in this database. The operation starts at a specific record ID (initially set at 30) and is designed to retrieve data where the id field value exceeds 30. The query itself uses SQL syntax to select specified fields: SELECT id, employeeid, firstname, lastname, department, division, location, manageremployeeid, workemail, workphone, title, employeetype from securonix_arc.users WHERE id > 0. However, during the execution of this query, an error occurred due to a type mismatch. The field "employeeid" was expected to be of type Long (a numeric value), but it was received as a String instead. This discrepancy led to a fatal exception and highlighted that the field should be explicitly defined in the database as either a number or a date, ensuring no implicit conversion takes place which might alter its actual data type. The solution provided suggests using a method called __safeToLong(field) to handle this issue, presumably for converting the "employeeid" field from String to Long if necessary. The error message also advises caution in assigning fields that may undergo implicit conversions, as such changes can lead to unexpected behavior or data type mismatches during processing.