[syslog-ng] ArcSight (Again)

Ivey, Chris Chris.ivey at acs-inc.com
Fri Sep 14 22:49:02 CEST 2007 

OK folks, this has come up (again).  Seems that the ArcSight parser is not
intelligent enough to handle messages coming from syslog-ng after being
forwarded along.  So I need some advice on how to handle this issue.  First,
some background...

I added our ArcSight server as a syslog-ng target some time ago.  The folks
who use the ArcSight stuff emailed me and said that the parser for ArcSight
could not handle parsing the messages coming from syslog-ng, because of the
prepending of the server time to the syslog-ng message.  Here is an excerpt
from one of the emails from their support folks:

	In looking through all the information, I see that there are lot of
parsing issues, all due to what look like malformed syslog messages.

	For example:
	Apr 25 22:54:24 x.x.x.x router/router 99228: Apr 25 22:54:23.474
UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on
GigabitEthernet1/0/1 (not full duplex), with switch FastEthernet0/1 (full
duplex). 

	This is a raw event from the export. Notice that the second
timestamp forward is the actual message, which is CDP, so from a cisco
switch or some layer 2 device. 

	The actual event from the cisco device should look like as follows,
which is what our parser is designed to work with:
	Apr 25 22:54:23.474 UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch
discovered on GigabitEthernet1/0/1 (not full duplex), with switch
FastEthernet0/1 (full duplex).

Another excerpt...

	I looked over the information you had uploaded already, and is
actually a common issue. When syslog events are forwarded from one syslog
server to another syslog server, or pipe, or file, the forwarding syslog
server prepends timestamp and other information, which makes the message
unusable. 

	We require syslog message to adhere to the standard RFC syslog
format for the connector to read them, and when forwarding syslog messages
that is not the case and we are unable to support that configuration.

So, the question is what to do about it.  I apparently need to send this
information on to the ArcSight server without the prepended data (the "Apr
25 22:54:24 x.x.x.x router/router 99228:" portion of the message from the
first email excerpt), but I need to keep it in place for EVERY other target
I am sending to.  Can anyone tell me what are my options here, please?
Thanks a LOT in advance!!!

(Bazsi, please feel free to chime in on this one!  LOL)

Chris Ivey

Affiliated Computer Services
Enterprise Management Integration Services
Infrastructure Management Senior Analyst

chris.ivey at acs-inc.com

"I have not failed, I have simply found 10,000 ways which do not work!" --
Thomas Edison
"When you find yourself in a hole, the best thing to do is stop digging!" --
Nick Stokes
"I reject your reality, and substitute my own!" -- Adam Savage

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070914/f125b267/attachment.htm

More information about the syslog-ng mailing list