[syslog-ng] ArcSight Server As Destination?

Balazs Scheidler bazsi at balabit.hu
Thu May 17 12:09:18 CEST 2007

On Wed, 2007-05-16 at 07:10 -0500, Ivey, Chris wrote:
> Folks, 
>         Does anyone have any experience with using syslog-ng to
> forward messages along to an ArcSight server?  I set it up for a
> support group here, but apparently they are having issues.  Per
> ArcSight support:
> <quote> 
>         "I looked over the information you had uploaded already, and
>         is actually a common issue. When syslog events are forwarded
>         from one syslog server to another syslog server, or pipe, or
>         file, the forwarding syslog server prepends timestamp and
>         other information, which makes the message unusable. 
>         We require syslog message to adhere to the standard RFC syslog
>         format for the connector to read them, and when forwarding
>         syslog messages that is not the case and we are unable to
>         support that configuration."
> </quote>
> Does anyone have any insight they can share with me for this issue?
> The group is now asking that I install their agent on my server, which
> I am VERY loath to do since the box is about at it's limit as it is.
> Thanks all!

I don't really see what ArcSight does, maybe we could help you a bit
more if you gave more details. Syslog-ng forwards messages in the same
format as it receives it, it does not prepend headers, only replaces
values if it is configured to do so.

Are you talking about syslog messages?


