ArcSight Server As Destination?
Folks, Does anyone have any experience with using syslog-ng to forward messages along to an ArcSight server? I set it up for a support group here, but apparently they are having issues. Per ArcSight support: <quote> "I looked over the information you had uploaded already, and is actually a common issue. When syslog events are forwarded from one syslog server to another syslog server, or pipe, or file, the forwarding syslog server prepends timestamp and other information, which makes the message unusable. We require syslog message to adhere to the standard RFC syslog format for the connector to read them, and when forwarding syslog messages that is not the case and we are unable to support that configuration." </quote> Does anyone have any insight they can share with me for this issue? The group is now asking that I install their agent on my server, which I am VERY loath to do since the box is about at it's limit as it is. Thanks all! Chris Ivey Affiliated Computer Services Enterprise Management Integration Services Infrastructure Management Senior Analyst chris.ivey@acs-inc.com "I have not failed, I have simply found 10,000 ways which do not work!" -- Thomas Edison "When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes "I reject your reality, and substitute my own!" -- Adam Savage
On Wed, 2007-05-16 at 07:10 -0500, Ivey, Chris wrote:
Folks, Does anyone have any experience with using syslog-ng to forward messages along to an ArcSight server? I set it up for a support group here, but apparently they are having issues. Per ArcSight support:
<quote>
"I looked over the information you had uploaded already, and is actually a common issue. When syslog events are forwarded from one syslog server to another syslog server, or pipe, or file, the forwarding syslog server prepends timestamp and other information, which makes the message unusable.
We require syslog message to adhere to the standard RFC syslog format for the connector to read them, and when forwarding syslog messages that is not the case and we are unable to support that configuration."
</quote>
Does anyone have any insight they can share with me for this issue? The group is now asking that I install their agent on my server, which I am VERY loath to do since the box is about at it's limit as it is. Thanks all!
I don't really see what ArcSight does, maybe we could help you a bit more if you gave more details. Syslog-ng forwards messages in the same format as it receives it, it does not prepend headers, only replaces values if it is configured to do so. Are you talking about syslog messages? -- Bazsi
Balazs Scheidler wrote:
Syslog-ng forwards messages in the same format as it receives it, it does not prepend headers, only replaces values if it is configured to do so.
Really? My experience is one where syslong-ng receives a syslog message that does NOT contain a timestamp, and syslog-ng forwards it with a timestamp because the receiver portion of syslog-ng has added a timestamp. Am I remembering this incorrectly or confusing this with some custom template? -- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
On 5/17/07, Evan Rempel <erempel@uvic.ca> wrote:
Balazs Scheidler wrote:
Syslog-ng forwards messages in the same format as it receives it, it does not prepend headers, only replaces values if it is configured to do so.
Really? My experience is one where syslong-ng receives a syslog message that does NOT contain a timestamp, and syslog-ng forwards it with a timestamp because the receiver portion of syslog-ng has added a timestamp.
Am I remembering this incorrectly or confusing this with some custom template?
I think that behavior is defined in the syslog-ng options. options { use_time_recvd (yes); };
On Thu, 2007-05-17 at 08:38 -0700, Evan Rempel wrote:
Balazs Scheidler wrote:
Syslog-ng forwards messages in the same format as it receives it, it does not prepend headers, only replaces values if it is configured to do so.
Really? My experience is one where syslong-ng receives a syslog message that does NOT contain a timestamp, and syslog-ng forwards it with a timestamp because the receiver portion of syslog-ng has added a timestamp.
I meant that syslog messages are forwarded as syslog messages. If your incoming messages lack a header, then those are not syslog messages. You can remove outgoing headers by using a custom template and not adding the $DATE and $HOST portions. You can also prevent syslog-ng to try to parse a message as syslog message by using the flags(no-parse) option for the source. -- Bazsi
participants (4)
-
Balazs Scheidler
-
Evan Rempel
-
Ivey, Chris
-
Jason Qualkenbush