<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2658.34">
<TITLE>RE: [syslog-ng] ArcSight (Again)</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Concatenate, you are a life saver. I appreciate your insight into this issue, and I will forward your thoughts on the ArcSight/RFC/Cisco Messages over to the ArcSight support folks here and ask that they get with ArcSight and see what they think. I went online and looked at docs, figured out the template deal on my local linux box, then changed their destination to come in with template("$MSG\n"). I think that will give them what they need. Thanks again for your insight on this issue!</FONT></P>
<P><FONT SIZE=2>Chris Ivey</FONT>
</P>
<P><FONT SIZE=2>Affiliated Computer Services</FONT>
<BR><FONT SIZE=2>Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2>Infrastructure Management Senior Analyst</FONT>
</P>
<P><FONT SIZE=2>chris.ivey@acs-inc.com</FONT>
</P>
<P><FONT SIZE=2>"I have not failed, I have simply found 10,000 ways which do not work!" -- Thomas Edison</FONT>
<BR><FONT SIZE=2>"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes</FONT>
<BR><FONT SIZE=2>"I reject your reality, and substitute my own!" -- Adam Savage</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: syslog-ng-bounces@lists.balabit.hu [<A HREF="mailto:syslog-ng-bounces@lists.balabit.hu">mailto:syslog-ng-bounces@lists.balabit.hu</A>] On Behalf Of Concatenate</FONT>
<BR><FONT SIZE=2>Sent: Friday, September 14, 2007 10:58 PM</FONT>
<BR><FONT SIZE=2>To: Syslog-ng users' and developers' mailing list</FONT>
<BR><FONT SIZE=2>Subject: Re: [syslog-ng] ArcSight (Again)</FONT>
</P>
<P><FONT SIZE=2>OBTW, use a template for that destination. IIRC the $MSG macro sent over to </FONT>
<BR><FONT SIZE=2>them will be exactly what you need. Just change the destination to a file </FONT>
<BR><FONT SIZE=2>for testing and see what your template does, easy to test that way. When </FONT>
<BR><FONT SIZE=2>it's all good change it back.</FONT>
</P>
<P><FONT SIZE=2>...... Original Message .......</FONT>
<BR><FONT SIZE=2>On Fri, 14 Sep 2007 15:49:02 -0500 "Ivey, Chris" <Chris.ivey@acs-inc.com> </FONT>
<BR><FONT SIZE=2>wrote:</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>OK folks, this has come up (again). Seems that the ArcSight parser is not </FONT>
<BR><FONT SIZE=2>intelligent enough to handle messages coming from syslog-ng after being </FONT>
<BR><FONT SIZE=2>forwarded along. So I need some advice on how to handle this issue. </FONT>
<BR><FONT SIZE=2>First, some background...</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>I added our ArcSight server as a syslog-ng target some time ago. The </FONT>
<BR><FONT SIZE=2>folks who use the ArcSight stuff emailed me and said that the parser for </FONT>
<BR><FONT SIZE=2>ArcSight could not handle parsing the messages coming from syslog-ng, </FONT>
<BR><FONT SIZE=2>because of the prepending of the server time to the syslog-ng message. </FONT>
<BR><FONT SIZE=2>Here is an excerpt from one of the emails from their support folks:</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>In looking through all the information, I see that there are lot of </FONT>
<BR><FONT SIZE=2>parsing issues, all due to what look like malformed syslog messages.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>For example:</FONT>
<BR><FONT SIZE=2>>Apr 25 22:54:24 x.x.x.x router/router 99228: Apr 25 22:54:23.474 UTC: </FONT>
<BR><FONT SIZE=2>%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet1/0/1 </FONT>
<BR><FONT SIZE=2>(not full duplex), with switch FastEthernet0/1 (full duplex). </FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>This is a raw event from the export. Notice that the second timestamp </FONT>
<BR><FONT SIZE=2>forward is the actual message, which is CDP, so from a cisco switch or some </FONT>
<BR><FONT SIZE=2>layer 2 device. </FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>The actual event from the cisco device should look like as follows, which </FONT>
<BR><FONT SIZE=2>is what our parser is designed to work with:</FONT>
<BR><FONT SIZE=2>>Apr 25 22:54:23.474 UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch </FONT>
<BR><FONT SIZE=2>discovered on GigabitEthernet1/0/1 (not full duplex), with switch </FONT>
<BR><FONT SIZE=2>FastEthernet0/1 (full duplex).</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>Another excerpt...</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>I looked over the information you had uploaded already, and is actually a </FONT>
<BR><FONT SIZE=2>common issue. When syslog events are forwarded from one syslog server to </FONT>
<BR><FONT SIZE=2>another syslog server, or pipe, or file, the forwarding syslog server </FONT>
<BR><FONT SIZE=2>prepends timestamp and other information, which makes the message unusable. </FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>We require syslog message to adhere to the standard RFC syslog format for </FONT>
<BR><FONT SIZE=2>the connector to read them, and when forwarding syslog messages that is not </FONT>
<BR><FONT SIZE=2>the case and we are unable to support that configuration.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>So, the question is what to do about it. I apparently need to send this </FONT>
<BR><FONT SIZE=2>information on to the ArcSight server without the prepended data (the "Apr </FONT>
<BR><FONT SIZE=2>25 22:54:24 x.x.x.x router/router 99228:" portion of the message from the </FONT>
<BR><FONT SIZE=2>first email excerpt), but I need to keep it in place for EVERY other target </FONT>
<BR><FONT SIZE=2>I am sending to. Can anyone tell me what are my options here, please? </FONT>
<BR><FONT SIZE=2>Thanks a LOT in advance!!!</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>(Bazsi, please feel free to chime in on this one! LOL)</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>Chris Ivey</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>Affiliated Computer Services</FONT>
<BR><FONT SIZE=2>>Enterprise Management Integration Services</FONT>
<BR><FONT SIZE=2>>Infrastructure Management Senior Analyst</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>chris.ivey@acs-inc.com</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>"I have not failed, I have simply found 10,000 ways which do not work!" -- </FONT>
<BR><FONT SIZE=2>Thomas Edison</FONT>
<BR><FONT SIZE=2>>"When you find yourself in a hole, the best thing to do is stop digging!" </FONT>
<BR><FONT SIZE=2>-- Nick Stokes</FONT>
<BR><FONT SIZE=2>>"I reject your reality, and substitute my own!" -- Adam Savage</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>_______________________________________________</FONT>
<BR><FONT SIZE=2>>syslog-ng maillist - syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2>><A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng" TARGET="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT SIZE=2>>Frequently asked questions at <A HREF="http://www.campin.net/syslog-ng/faq.html" TARGET="_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
</P>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>syslog-ng maillist - syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=2><A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng" TARGET="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT SIZE=2>Frequently asked questions at <A HREF="http://www.campin.net/syslog-ng/faq.html" TARGET="_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P>
</BODY>
</HTML>