[syslog-ng] ArcSight Server As Destination?

Tom Le dottom at gmail.com
Fri May 18 18:09:28 CEST 2007

Arcsight requires a specific format, but that is not say it is
incompatible with syslog forwarding.  They just need to give you the
config options that they support for a forwarded syslog message.

On 5/18/07, Ivey, Chris <Chris.ivey at acs-inc.com> wrote:
> Many thanks to those of you who responded to this question already.  I have
> decided to "raise the B.S. flag" with ArcSight on this one.  The more I talk
> to the person here who is acting as the middle-man between myself and
> ArcSight, the more I think that ArcSight has an issue on their side.  I will
> more than likely be re-posting after talking directly to ArcSight next week.
> Thanks all!
> Chris Ivey
> Affiliated Computer Services
> Enterprise Management Integration Services
> Infrastructure Management Senior Analyst
> chris.ivey at acs-inc.com
> "I have not failed, I have simply found 10,000 ways which do not work!" --
> Thomas Edison
> "When you find yourself in a hole, the best thing to do is stop digging!" --
> Nick Stokes
> "I reject your reality, and substitute my own!" -- Adam Savage
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
> Sent: Thursday, May 17, 2007 3:45 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] ArcSight Server As Destination?
> On Thu, 2007-05-17 at 08:38 -0700, Evan Rempel wrote:
> > Balazs Scheidler wrote:
> > > Syslog-ng forwards messages in the same
> > > format as it receives it, it does not prepend headers, only replaces
> > > values if it is configured to do so.
> >
> > Really? My experience is one where syslong-ng receives a syslog message
> that does NOT
> > contain a timestamp, and syslog-ng forwards it with a timestamp because
> the receiver
> > portion of syslog-ng has added a timestamp.
> I meant that syslog messages are forwarded as syslog messages. If your
> incoming messages lack a header, then those are not syslog messages.
> You can remove outgoing headers by using a custom template and not
> adding the $DATE and $HOST portions.
> You can also prevent syslog-ng to try to parse a message as syslog
> message by using the flags(no-parse) option for the source.
> --
> Bazsi
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list