cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Data Enrichment - how do I know if it's working?

Jump to solution

Hi all,

I could use some clarification on data encrichment.  Our ESM is configured with a rule to enrich the lookup field "Source User" with the enrichment field "Contact_Name" on our receiver.  I've tested the LDAP query and it is working.

We have an appliance that employees log into using their user IDs (sAMAccountName.)  The appliance sends a syslog to the ESM which obviously only has that identifier in Source User.  My assumption is that the data enrichment rule should be adding the displayName attribute to the Contact_Name field in the event created by the syslog.

Since I'm not seeing the Contact_Name field in any of these events, can someone please confirm that my understanding of this function is correct?  And is there somewhere that would show me if data enrichment was not working properly?

Any help is greatly appreciated.

Thanks in advance,

- Steve

 

 

 

1 Solution

Accepted Solutions
mherr
Level 9
Report Inappropriate Content
Message 2 of 6

Re: Data Enrichment - how do I know if it's working?

Jump to solution

On the destination tab, you have the data source you want to enrich added?

Did you write out the data enrichment settings?

Also, I believe data enrichment may be case sensitive.  So if your enrichment source is all lowercase and the user logs in all CAPS, it may not enrich it.   

5 Replies
mherr
Level 9
Report Inappropriate Content
Message 2 of 6

Re: Data Enrichment - how do I know if it's working?

Jump to solution

On the destination tab, you have the data source you want to enrich added?

Did you write out the data enrichment settings?

Also, I believe data enrichment may be case sensitive.  So if your enrichment source is all lowercase and the user logs in all CAPS, it may not enrich it.   

Re: Data Enrichment - how do I know if it's working?

Jump to solution

Hi mherr,

Thanks for the response! 

I'm confused about your first question, and this may be where my knowledge gap is.  On the Destination tab, I have "Local ESM" and "Local Receiver-ELM" (it's a combox box.)  Is that not right?  For instance, if I am trying to enrich the events from our proxy server, should I have the proxy server listed?

I did write out the changes.  And thank you for the information about the case sensitivity. 

Best,

- Steve

 

mherr
Level 9
Report Inappropriate Content
Message 4 of 6

Re: Data Enrichment - how do I know if it's working?

Jump to solution

The Destination Tab of the Data Enrichment Wizard contains the data source(s) you want to enrich.  If you want to enrich your Proxy Server events with AD Display Name, you will select the Proxy Server for  Device and then the lookup field is the Source User and the Enrichment Field would be Contact Name or something like that.  I recommend being precise as possible for the Device vs. the entire ESM or ERC.  

Re: Data Enrichment - how do I know if it's working?

Jump to solution

Thanks again.  I will configure it that way.  I'm not sure there's a way around the problem involving case-sensitivity. 

 

Re: Data Enrichment - how do I know if it's working?

Jump to solution

Hi again,

Also, it does appear that case-sensitivity is part of my problem.  Our UNIDs are entered into Active Directory with capital letters.  Naturally, most of users log in with Caps Lock off (because otherwise you're going to mess up your password, right?)

In the rare cases where the case of the logon exactly matches the SAM Account Name (mostly service account logins) I'm seeing enriched data.

Anyone have a good idea of how to work around this?

Thanks,

- Steve