<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2658.34">
<TITLE>RE: [syslog-ng] ArcSight Server As Destination?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>As I was discussing this issue with a colleague this AM, the question arose as to whether or not the restamping of messages from syslog-ng can be turned on and off for selected destinations, or if that was a global option. Anyone know?</FONT></P>
<P><FONT SIZE=2>Chris Ivey</FONT>
</P>
<P><FONT SIZE=2>Affiliated Computer Services</FONT>
<BR><FONT SIZE=2>Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2>Infrastructure Management Senior Analyst</FONT>
</P>
<P><FONT SIZE=2>chris.ivey@acs-inc.com</FONT>
</P>
<P><FONT SIZE=2>"I have not failed, I have simply found 10,000 ways which do not work!" -- Thomas Edison</FONT>
<BR><FONT SIZE=2>"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes</FONT>
<BR><FONT SIZE=2>"I reject your reality, and substitute my own!" -- Adam Savage</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: syslog-ng-bounces@lists.balabit.hu [<A HREF="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</A>] On Behalf Of Tom Le</FONT>
<BR><FONT SIZE=2>Sent: Friday, May 18, 2007 12:09 PM</FONT>
<BR><FONT SIZE=2>To: Syslog-ng users' and developers' mailing list</FONT>
<BR><FONT SIZE=2>Subject: Re: [syslog-ng] ArcSight Server As Destination?</FONT>
</P>
<P><FONT SIZE=2>Arcsight requires a specific format, but that is not say it is</FONT>
<BR><FONT SIZE=2>incompatible with syslog forwarding. They just need to give you the</FONT>
<BR><FONT SIZE=2>config options that they support for a forwarded syslog message.</FONT>
</P>
<P><FONT SIZE=2>On 5/18/07, Ivey, Chris <Chris.ivey@acs-inc.com> wrote:</FONT>
<BR><FONT SIZE=2>> Many thanks to those of you who responded to this question already. I have</FONT>
<BR><FONT SIZE=2>> decided to "raise the B.S. flag" with ArcSight on this one. The more I talk</FONT>
<BR><FONT SIZE=2>> to the person here who is acting as the middle-man between myself and</FONT>
<BR><FONT SIZE=2>> ArcSight, the more I think that ArcSight has an issue on their side. I will</FONT>
<BR><FONT SIZE=2>> more than likely be re-posting after talking directly to ArcSight next week.</FONT>
<BR><FONT SIZE=2>> Thanks all!</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> Chris Ivey</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> Affiliated Computer Services</FONT>
<BR><FONT SIZE=2>> Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2>> Infrastructure Management Senior Analyst</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> chris.ivey@acs-inc.com</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> "I have not failed, I have simply found 10,000 ways which do not work!" --</FONT>
<BR><FONT SIZE=2>> Thomas Edison</FONT>
<BR><FONT SIZE=2>> "When you find yourself in a hole, the best thing to do is stop digging!" --</FONT>
<BR><FONT SIZE=2>> Nick Stokes</FONT>
<BR><FONT SIZE=2>> "I reject your reality, and substitute my own!" -- Adam Savage</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> -----Original Message-----</FONT>
<BR><FONT SIZE=2>> From: syslog-ng-bounces@lists.balabit.hu</FONT>
<BR><FONT SIZE=2>> [<A HREF="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</A>] On Behalf Of Balazs Scheidler</FONT>
<BR><FONT SIZE=2>> Sent: Thursday, May 17, 2007 3:45 PM</FONT>
<BR><FONT SIZE=2>> To: Syslog-ng users' and developers' mailing list</FONT>
<BR><FONT SIZE=2>> Subject: Re: [syslog-ng] ArcSight Server As Destination?</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> On Thu, 2007-05-17 at 08:38 -0700, Evan Rempel wrote:</FONT>
<BR><FONT SIZE=2>> > Balazs Scheidler wrote:</FONT>
<BR><FONT SIZE=2>> > > Syslog-ng forwards messages in the same</FONT>
<BR><FONT SIZE=2>> > > format as it receives it, it does not prepend headers, only replaces</FONT>
<BR><FONT SIZE=2>> > > values if it is configured to do so.</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > Really? My experience is one where syslong-ng receives a syslog message</FONT>
<BR><FONT SIZE=2>> that does NOT</FONT>
<BR><FONT SIZE=2>> > contain a timestamp, and syslog-ng forwards it with a timestamp because</FONT>
<BR><FONT SIZE=2>> the receiver</FONT>
<BR><FONT SIZE=2>> > portion of syslog-ng has added a timestamp.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> I meant that syslog messages are forwarded as syslog messages. If your</FONT>
<BR><FONT SIZE=2>> incoming messages lack a header, then those are not syslog messages.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> You can remove outgoing headers by using a custom template and not</FONT>
<BR><FONT SIZE=2>> adding the $DATE and $HOST portions.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> You can also prevent syslog-ng to try to parse a message as syslog</FONT>
<BR><FONT SIZE=2>> message by using the flags(no-parse) option for the source.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> --</FONT>
<BR><FONT SIZE=2>> Bazsi</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> _______________________________________________</FONT>
<BR><FONT SIZE=2>> syslog-ng maillist - syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2>> <A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng" TARGET="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT SIZE=2>> Frequently asked questions at <A HREF="http://www.campin.net/syslog-ng/faq.html" TARGET="_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>syslog-ng maillist - syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2><A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng" TARGET="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT SIZE=2>Frequently asked questions at <A HREF="http://www.campin.net/syslog-ng/faq.html" TARGET="_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P>
</BODY>
</HTML>