How to configure forwarding FIXEdge lifecycle events to ArcSight

Overview

Since version 6.7 FIXEdge provides the functionality of event notifications that can be processed as ArcSight events. The fixicc-agent logs don't have this feature.

The list of application lifecycle events is described there: Logging for lifecycle FIXEdge events.

The described functionality was tested with version 6.6.1 of ArcSight

Connection with ArcSight is supported over TCP.

Interaction model

Forwarding messages from FIXEdge to ArcSight is maintained via Log4Cplus and SocketTCPAppender.

Configuring

1. Upgrade FIXEdge to version 6.7

2. Set the format for lifecycle FIXEdge events log entries

To forward traceable events to ArcSight you need to set a log category (e.g. "CEF") for all events in FIXEdge.properties file.
Configure events patterns in CEF format for output (also see Format of event entries for transfer to ArcSight).

FIXEdge.properties

#--------------configure Application Lifecycle events-------------------------------
#for output to the log system use CEF category
Log.Events.LogCategory = CEF
#set patterns for lifecycle events
Log.Events.Event.AppStarting = %X{DateTimeMSUTC}|CEF:0|EPAM|FixEdge|%E\{.AppVersion}|AP01|application starting|INFO|cs1=APP-STARTING externalID=0
Log.Events.Event.AppStarted = %X{DateTimeMSUTC}|CEF:0|EPAM|FixEdge|%E\{.AppVersion}|AP02|application started|INFO|cs1=APP-STARTED externalID=1
Log.Events.Event.AppReady = %X{DateTimeMSUTC}|CEF:0|EPAM|FixEdge|%E\{.AppVersion}|AP03|application ready|INFO|cs1=APP-READY externalID=2
Log.Events.Event.AppFailed = %X{DateTimeMSUTC}|CEF:0|EPAM|FixEdge|%E\{.AppVersion}|AP08|application failed|FATAL|msg="%X\{msg}" cs1=APP-FAILED externalID=6
Log.Events.Event.AppComplete = %X{DateTimeMSUTC}|CEF:0|EPAM|FixEdge|%E\{.AppVersion}|AP05|application completed|INFO|cs1=APP-COMPLETE externalID=4

In this example, only 5 lifecycle events (AppStarting, AppStarted, AppReady, AppFailed, AppComplete) will be forwarded to ArcSight. Patterns for other events are configured the same way.

3. Set configuration parameters for integration with ArcSight

Then in FIXEdge.properties file add Log4Cplus device for Log.Device property and configure log4cplus parameters as follows:

FIXEdge.properties

#---------------Configure Log System-----------------------------------------
# add Log4Cplus device for forwarding logs to the log4cplus
Log.Device = File Log4Cplus

#category "CEF" is redirected to the appender "ArcSight".
log4cplus.logger.CEF = INFO,ArcSight
log4cplus.additivity.CEF = false
#Appender for output to the ArcSight
log4cplus.appender.ArcSight=log4cplus::SocketTCPAppender
log4cplus.appender.ArcSight.port = 514
log4cplus.appender.ArcSight.host = localhost
log4cplus.appender.ArcSight.layout = log4cplus::PatternLayout
log4cplus.appender.ArcSight.layout.ConversionPattern = %m%n
log4cplus.appender.ArcSight.label = ArcSight

#Other log messages will discarded
log4cplus.rootLogger = TRACE,Null
log4cplus.appender.Null = log4cplus::NullAppender

Troubleshooting

The event is not forwarded to the log system

AppStarting event cannot be found in ArcSight after FIXEdge startup.

Error:

FIXEdge.log

[INFO] 20180815-09:11:21.058 [744632] [LogEvents] - LogEvents Loaded event AppStarting(CEF,INFO)=%X{DateTimeMSUTC}|CEF:0|EPAM|FixEdge|%E\{.AppVersion}|AP01|application starting|INFO|cs1=APP-STARTING externalID=0

Solution: Make sure that event was loaded correctly at FIXEdge startup.

FixEdge.log file must contain "Loaded event <Name of Event>( <LogCategory>,<LogLevel>)=<Event pattern>" note, e.g.:

ArcSight is unavailable

Error:

Standard output (console)

log4cplus:ERROR log4cplus::SocketTCPAppender(127.0.0.1:8999) : connect() to (127.0.0.1:8999) failed. Connection refused. (Error code = 111). Next events will be skipped.
The signal waiter has been started.

Solution:To resolve problems with the access to the ArcSight system.