<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2658.34">
<TITLE>ArcSight (Again)</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2 FACE="Arial">OK folks, this has come up (again). Seems that the ArcSight parser is not intelligent enough to handle messages coming from syslog-ng after being forwarded along. So I need some advice on how to handle this issue. First, some background...</FONT></P>
<P><FONT SIZE=2 FACE="Arial">I added our ArcSight server as a syslog-ng target some time ago. The folks who use the ArcSight stuff emailed me and said that the parser for ArcSight could not handle parsing the messages coming from syslog-ng, because of the prepending of the server time to the syslog-ng message. Here is an excerpt from one of the emails from their support folks:</FONT></P>
<UL>
<P><FONT SIZE=2 FACE="Arial">In looking through all the information, I see that there are lot of parsing issues, all due to what look like malformed syslog messages.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">For example:</FONT>
<BR><FONT SIZE=2 FACE="Arial">Apr 25 22:54:24 x.x.x.x router/router 99228: Apr 25 22:54:23.474 UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet1/0/1 (not full duplex), with switch FastEthernet0/1 (full duplex). </FONT></P>
<P><FONT SIZE=2 FACE="Arial">This is a raw event from the export. Notice that the second timestamp forward is the actual message, which is CDP, so from a cisco switch or some layer 2 device. </FONT></P>
<P><FONT SIZE=2 FACE="Arial">The actual event from the cisco device should look like as follows, which is what our parser is designed to work with:</FONT>
<BR><FONT SIZE=2 FACE="Arial">Apr 25 22:54:23.474 UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet1/0/1 (not full duplex), with switch FastEthernet0/1 (full duplex).</FONT></P>
</UL>
<P><FONT SIZE=2 FACE="Arial">Another excerpt...</FONT>
</P>
<UL>
<P><FONT SIZE=2 FACE="Arial">I looked over the information you had uploaded already, and is actually a common issue. When syslog events are forwarded from one syslog server to another syslog server, or pipe, or file, the forwarding syslog server prepends timestamp and other information, which makes the message unusable. </FONT></P>
<P><FONT SIZE=2 FACE="Arial">We require syslog message to adhere to the standard RFC syslog format for the connector to read them, and when forwarding syslog messages that is not the case and we are unable to support that configuration.</FONT></P>
</UL>
<P><FONT SIZE=2 FACE="Arial">So, the question is what to do about it. I apparently need to send this information on to the ArcSight server without the prepended data (the "Apr 25 22:54:24 x.x.x.x router/router 99228:" portion of the message from the first email excerpt), but I need to keep it in place for EVERY other target I am sending to. Can anyone tell me what are my options here, please? Thanks a LOT in advance!!!</FONT></P>
<P><FONT SIZE=2 FACE="Arial">(Bazsi, please feel free to chime in on this one! LOL)</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Chris Ivey</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Affiliated Computer Services</FONT>
<BR><FONT SIZE=2 FACE="Arial">Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2 FACE="Arial">Infrastructure Management Senior Analyst</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">chris.ivey@acs-inc.com</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">"I have not failed, I have simply found 10,000 ways which do not work!" -- Thomas Edison</FONT>
<BR><FONT SIZE=2 FACE="Arial">"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes</FONT>
<BR><FONT SIZE=2 FACE="Arial">"I reject your reality, and substitute my own!" -- Adam Savage</FONT>
</P>
</BODY>
</HTML>