<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2658.34">
<TITLE>ArcSight Server As Destination?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2 FACE="Arial">Folks,</FONT>
<BR> <FONT SIZE=2 FACE="Arial">Does anyone have any experience with using syslog-ng to forward messages along to an ArcSight server? I set it up for a support group here, but apparently they are having issues. Per ArcSight support:</FONT></P>
<P><FONT SIZE=2 FACE="Arial"><quote></FONT>
<UL>
<P><FONT SIZE=2 FACE="Arial">"I looked over the information you had uploaded already, and is actually a common issue. When syslog events are forwarded from one syslog server to another syslog server, or pipe, or file, the forwarding syslog server prepends timestamp and other information, which makes the message unusable. </FONT></P>
<P><FONT SIZE=2 FACE="Arial">We require syslog message to adhere to the standard RFC syslog format for the connector to read them, and when forwarding syslog messages that is not the case and we are unable to support that configuration."</FONT></P>
</UL>
<P><FONT SIZE=2 FACE="Arial"></quote></FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Does anyone have any insight they can share with me for this issue? The group is now asking that I install their agent on my server, which I am VERY loath to do since the box is about at it's limit as it is. Thanks all!</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Chris Ivey</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Affiliated Computer Services</FONT>
<BR><FONT SIZE=2 FACE="Arial">Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2 FACE="Arial">Infrastructure Management Senior Analyst</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">chris.ivey@acs-inc.com</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">"I have not failed, I have simply found 10,000 ways which do not work!" -- Thomas Edison</FONT>
<BR><FONT SIZE=2 FACE="Arial">"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes</FONT>
<BR><FONT SIZE=2 FACE="Arial">"I reject your reality, and substitute my own!" -- Adam Savage</FONT>
</P>
</BODY>
</HTML>