RE: [syslog-ng] ArcSight Server As Destination?
Many thanks to those of you who responded to this question already. I have decided to "raise the B.S. flag" with ArcSight on this one. The more I talk to the person here who is acting as the middle-man between myself and ArcSight, the more I think that ArcSight has an issue on their side. I will more than likely be re-posting after talking directly to ArcSight next week. Thanks all! Chris Ivey Affiliated Computer Services Enterprise Management Integration Services Infrastructure Management Senior Analyst chris.ivey@acs-inc.com "I have not failed, I have simply found 10,000 ways which do not work!" -- Thomas Edison "When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes "I reject your reality, and substitute my own!" -- Adam Savage -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Thursday, May 17, 2007 3:45 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] ArcSight Server As Destination? On Thu, 2007-05-17 at 08:38 -0700, Evan Rempel wrote:
Balazs Scheidler wrote:
Syslog-ng forwards messages in the same format as it receives it, it does not prepend headers, only replaces values if it is configured to do so.
Really? My experience is one where syslong-ng receives a syslog message that does NOT contain a timestamp, and syslog-ng forwards it with a timestamp because the receiver portion of syslog-ng has added a timestamp.
I meant that syslog messages are forwarded as syslog messages. If your incoming messages lack a header, then those are not syslog messages. You can remove outgoing headers by using a custom template and not adding the $DATE and $HOST portions. You can also prevent syslog-ng to try to parse a message as syslog message by using the flags(no-parse) option for the source. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Arcsight requires a specific format, but that is not say it is incompatible with syslog forwarding. They just need to give you the config options that they support for a forwarded syslog message. On 5/18/07, Ivey, Chris <Chris.ivey@acs-inc.com> wrote:
Many thanks to those of you who responded to this question already. I have decided to "raise the B.S. flag" with ArcSight on this one. The more I talk to the person here who is acting as the middle-man between myself and ArcSight, the more I think that ArcSight has an issue on their side. I will more than likely be re-posting after talking directly to ArcSight next week. Thanks all!
Chris Ivey
Affiliated Computer Services Enterprise Management Integration Services Infrastructure Management Senior Analyst
chris.ivey@acs-inc.com
"I have not failed, I have simply found 10,000 ways which do not work!" -- Thomas Edison "When you find yourself in a hole, the best thing to do is stop digging!" -- Nick Stokes "I reject your reality, and substitute my own!" -- Adam Savage
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Thursday, May 17, 2007 3:45 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] ArcSight Server As Destination?
On Thu, 2007-05-17 at 08:38 -0700, Evan Rempel wrote:
Balazs Scheidler wrote:
Syslog-ng forwards messages in the same format as it receives it, it does not prepend headers, only replaces values if it is configured to do so.
Really? My experience is one where syslong-ng receives a syslog message that does NOT contain a timestamp, and syslog-ng forwards it with a timestamp because the receiver portion of syslog-ng has added a timestamp.
I meant that syslog messages are forwarded as syslog messages. If your incoming messages lack a header, then those are not syslog messages.
You can remove outgoing headers by using a custom template and not adding the $DATE and $HOST portions.
You can also prevent syslog-ng to try to parse a message as syslog message by using the flags(no-parse) option for the source.
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (2)
-
Ivey, Chris
-
Tom Le