Sensor property names for common sensor types

book

Article ID: 179872

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

 

Resolution

Sensor property names for common sensor types

Property name values are case sensitive. You must enter the values in the CSV file for import exactly as they appear in the exported XML file.

For example, "LogfileName" is not the same as "LogFileName" and will not successfully import.

See Configuring many sensors for collectors.

Table: Sensor property names by sensor type

Sensor type

Sensor property names

Syslog sensor

Valid property names are as follows:

  • protocol

  • hosts

  • port

  • TimeOffset (Not present in every collector with this sensor)

Sample CSV formats for a syslog sensor is as follows:

hosts,*,port,514,enabled,true

hosts,centralunixhost,port,515,enabled,true

Logfile sensor

Valid property names are as follows:

  • LogFilePath

  • LogFileName

  • ReadingMode

  • InitialReadPolicy

  • TimeOffset (Not present in every collector with this sensor)

A sample CSV format for a LogFile sensor is as follows:

LogFilePath,C:\Program Files\Symantec\ITA\logs,InitialReadPolicy,

BEGINNING,LogFileName,iquery.out,enabled,true

Database sensor

Valid property names are as follows:

  • JdbcDriverDir

  • DatabaseURL

  • DatabaseUserName

  • InitialReadPolicy

  • DatabasePassword

  • executionTime (Not present in every collector with this sensor)

A sample CSV format for a database sensor is as follows:

enabled,true,JdbcDriverDir,/opt/Symantec/simserver/collectors/

drivers/mssqljdbc_2005/enu/,DatabaseURL,jdbc:sqlserver:

//192.168.1.234:1433;DatabaseName=RealSecureDB,

DatabaseUserName,readonlyuser,DatabasePassword,mypassword,

InitialReadPolicy,BEGINNING

Syslog File sensor

Valid property names are as follows:

  • LogPath

  • LogToMonitor

  • NameIsDynamic

  • FileEncoding

  • EndOfFileMarker

  • InitialReadPolicy

  • EndofRecordMarker

  • MonitorInRealTime

  • TimeOffset (Not present in every collector with this sensor)

A sample CSV format for a log or syslog file sensor is as follows:

enabled,false,name,messages,LogPath,/var/log,

LogToMonitor,messages,NameIsDynamic,true,FileEncoding,UTF-8,

EndOfFileMarker,EOF,InitialReadPolicy,Last Position,

EndOfRecordMarker,ENDOFLINE,MonitorInRealTime,true,

TimeOffset,+00:00

Windows Event Log sensor

Valid property names are as follows:

  • hostName

  • accountName

  • password

  • historyDays

  • eventLogs

Important notes on Windows Event Log sensor fields are as follows:

  • When you export the existing collector configuration in XML format, the "accountName" and "password" values are hashed (encrypted). However, when you create the CVS file, you must enter these values in the cleartext form.

    You must take necessary precautions to secure these files in transmission and storage to protect the cleartext authentication credentials.

  • For a computer that is located in a Windows domain, the "accountName" value must be in the following format:

    DomainName\AccountName

  • For a computer that is not in a Windows domain, the "accountName" value must be in the following format:

    HostName\AccountName

  • When you export the existing collector configuration in XML format, the "eventLogs" property consists of comma-separated values. However, you must not list the values in this format when you create the CSV file. If you do so, only the first entry is accepted.

    If more than one Event Log is to be audited, you can add the additional Event Log values for a single collector configuration in the Information Manager console in System > Product Configurations. Then, use Global Update to include the additional the Event Logs for the multiple sensors.

    See Globally updating sensor properties.

A sample CSV format for a Windows Event Log sensor is as follows:

hostName,centralwinprod,accountName,MSDomain\administrator,password,

fakepassword,historyDays,1,eventLogs,Security

hostName,branchwintest,accountName,branchwintest\logreader,password,

testpassword,historyDays,7,eventLogs,System

Note:
If the hostName value is 127.0.0.1 or localhost, the accountName and password values are not required.

OPSEC LEA sensor

Valid property names are as follows:

  • opsec application name

  • opsec application password

  • InitialReadPolicy

  • MonitorInRealTime

  • lea_server ip

  • lea_server auth_port

  • lea_server auth_type

  • lea_server port

  • lea_server opsec_entity_sic_name

  • opsec_sic_name

  • read_audit_log

A sample CSV format for an OPSEC LEA sensor is as follows:

enabled,false,opsec application name,MyOPSECApp,

opsec application password,Mypassword,

InitialReadPolicy,BEGINNING,MonitorInRealTime,true,

lea_server ip,192.168.1.207,lea_server auth_port,18184,

lea_server auth_type,sslca,lea_server port,0,

lea_server opsec_entity_sic_name,CN=cp_mgmt,O=MyOrg..vifxrc,

opsec_sic_name,CN=MyOPSECApp,O=MyOrg..vifxrc,

read_audit_log,true