top of page
Search

Sentrigo Certified CEF Connector Configuration Guide for Hedgehog Version 2.2.0

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 9, 2025
  • 3 min read

Summary:

The "Common Event Format Configuration Guide" for Hedgehog Enterprise / vPatch by Sentrigo is a document that explains how to set up the Hedgehog Connector to collect events either via syslog CEF format or log file format. This setup is intended for real-time monitoring and breach prevention of database security, and it supports Hedgehog versions 2.2.0 and above. It is specifically designed for ArcSight customers who need a real-time view of their database security without affecting performance. ### Configuration Options: 1. **Syslog CEF Format**: - Users navigate to the System/Interfaces screen, select "use syslog," configure settings including host location and port, then choose CEF format. - Default file definitions for CEF format are provided on the Hedgehog server; changes require restarting the server. - Define rules with the syslog rule action, and alerts will be sent to ArcSight via the same syslog format if possible. 2. **Log to File (CEF Format)**: - Enable 'Log to File' in the System tab of the Hedgehog server, set rolling periods like daily logs, configure log format as CEF, and make changes via a properties file on the server which requires restarting for changes to take effect. - Configure rules with the Log to File rule action, and alerts will be logged in CEF format and collected by ArcSight if possible. ### Default Mappings: - The default configuration maps rule names to signature IDs but can be reconfigured as needed by the user. - Events are mapped from vendor-specific event definitions to ArcSight data fields through the SmartConnector. This guide is designed for users who want to enhance their real-time monitoring and breach prevention capabilities using Hedgehog Enterprise / vPatch in conjunction with ArcSight, ensuring that all events relevant to database security are captured and potentially transferred or logged appropriately based on user configuration. The Hedgehog Connector Field Mappings documentation outlines the default configuration for mapping vendor-specific event definitions to ArcSight Event Data Fields, which can be customized by editing the configuration file in {install folder}\conf\sentrigo.

Details:

The "Common Event Format Configuration Guide" for Hedgehog Enterprise / vPatch by Sentrigo outlines how to configure the Hedgehog Connector for collecting events in either syslog CEF format or log file format, intended for real-time database monitoring and breach prevention. It supports Hedgehog versions 2.2.0 and above, focusing on ArcSight customers who want a real-time view of their database security without impacting performance. ### Configuration Options: 1. **Syslog CEF Format**:

  • Navigate to the System/Interfaces screen, select "use syslog" and configure settings including host location and port, then choose CEF format.

  • The default file definitions for CEF format are provided in a properties file on the Hedgehog server; changes require restarting the server.

  • Define relevant rules with the syslog rule action. Alerts will be sent to ArcSight via the same syslog format and transferred if possible.

2. **Log to File (CEF Format)**:

  • Enable 'Log to File' in the System tab of the Hedgehog server, set rolling periods like daily logs, and configure log format as CEF.

  • Changes to settings can be made via a properties file on the server, requiring restart for changes to take effect.

  • Configure rules with the Log to File rule action, and alerts will be logged in CEF format and collected by ArcSight if possible.

### Default Mappings:

  • The default configuration maps rule names to signature IDs, but can be reconfigured as needed by the user.

  • Events are mapped from vendor-specific event definitions to ArcSight data fields through the SmartConnector.

This guide is designed for users who want to enhance their real-time monitoring and breach prevention capabilities using Hedgehog Enterprise / vPatch in conjunction with ArcSight, ensuring that all events relevant to database security are captured and potentially transferred or logged appropriately based on user configuration. The Hedgehog Connector Field Mappings documentation outlines the default configuration for mapping vendor-specific event definitions to ArcSight Event Data Fields. This default configuration can be found in the {install folder}\webapps\ROOT\WEB-INF\config\application\sentrigo file, specifically within the "log.format.body.cef" section. The provided table summarizes the default field mappings as follows: 1. **externalId** is mapped to Id. 2. **executionTime** is mapped to rt. 3. **database.name** is mapped to cs1. 4. **agent.ip** is mapped to dvc. 5. **execUser** is mapped to duser. 6. **osUer** is mapped to Suser. 7. **sourceHost** is mapped to Shost. 8. **execProgram** is mapped to Dproc. 9. **cmdType** is mapped to Act. 10. **Operation** is mapped to Cs2. 11. **AccessedObjects** is mapped to Cs3. The default mapping can be modified for customization by editing the configuration file in {install folder}\conf\sentrigo-custom, as all mappings are configurable.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page