OK folks, this has come up (again). Seems that the ArcSight parser is not intelligent enough to handle messages coming from syslog-ng after being forwarded along. So I need some advice on how to handle this issue. First, some background...
I added our ArcSight server as a syslog-ng target some time ago. The folks who use the ArcSight stuff emailed me and said that the parser for ArcSight could not handle parsing the messages coming from syslog-ng, because of the prepending of the server time to the syslog-ng message. Here is an excerpt from one of the emails from their support folks:
In looking through all the information, I see that there are lot of parsing issues, all due to what look like malformed syslog messages.
For example:
Apr 25 22:54:24 x.x.x.x router/router 99228: Apr 25 22:54:23.474 UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet1/0/1 (not full duplex), with switch FastEthernet0/1 (full duplex).
This is a raw event from the export. Notice that the second timestamp forward is the actual message, which is CDP, so from a cisco switch or some layer 2 device.
The actual event from the cisco device should look like as follows, which is what our parser is designed to work with:
Apr 25 22:54:23.474 UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet1/0/1 (not full duplex), with switch FastEthernet0/1 (full duplex).
Another excerpt...
I looked over the information you had uploaded already, and is actually a common issue. When syslog events are forwarded from one syslog server to another syslog server, or pipe, or file, the forwarding syslog server prepends timestamp and other information, which makes the message unusable.
We require syslog message to adhere to the standard RFC syslog format for the connector to read them, and when forwarding syslog messages that is not the case and we are unable to support that configuration.
So, the question is what to do about it. I apparently need to send this information on to the ArcSight server without the prepended data (the "Apr 25 22:54:24 x.x.x.x router/router 99228:" portion of the message from the first email excerpt), but I need to keep it in place for EVERY other target I am sending to. Can anyone tell me what are my options here, please? Thanks a LOT in advance!!!
(Bazsi, please feel free to chime in on this one! LOL)
Chris Ivey
Affiliated Computer Services
Enterprise Management Integration Services
Infrastructure Management Senior Analyst
chris.ivey@acs-inc.com
"I have not failed, I have simply found 10,000 ways which do not work!" -- Thomas Edison
"When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes
"I reject your reality, and substitute my own!" -- Adam Savage