[syslog-ng] ArcSight (Again)
Paul Robert Marino
prmarino1 at gmail.com
Fri Sep 21 14:41:51 CEST 2007
There is a reason they don't comply it makes some of their older
monitoring tools work better(Pre SNMP). one thing I noticed is they seem
to put a sequence number in the header of the message. I doubt that
cisco will fix the headers because its simply not in their best intrest
to do so
On Fri, 14 Sep 2007 11:02 pm, Concatenate wrote:
> Actually, the cisco messages don't conform to the RFC, that's why
> syslog-ng
> puts in a proper header section.
>
> You should ask them to read the RFC (which was an observational
> undertaking, seen as a pre-req for the next-gen syslog RFC work).
> They're
> quite wrong.
>
> ...... Original Message .......
> On Fri, 14 Sep 2007 15:49:02 -0500 "Ivey, Chris"
> <Chris.ivey at acs-inc.com>
> wrote:
>> OK folks, this has come up (again). Seems that the ArcSight parser is
>> not
>> intelligent enough to handle messages coming from syslog-ng after being
>> forwarded along. So I need some advice on how to handle this issue.
> First,
>> some background...
>>
>> I added our ArcSight server as a syslog-ng target some time ago. The
>> folks
>> who use the ArcSight stuff emailed me and said that the parser for
>> ArcSight
>> could not handle parsing the messages coming from syslog-ng, because
>> of the
>> prepending of the server time to the syslog-ng message. Here is an
>> excerpt
>> from one of the emails from their support folks:
>>
>> In looking through all the information, I see that there are lot of
>> parsing issues, all due to what look like malformed syslog messages.
>>
>> For example:
>> Apr 25 22:54:24 x.x.x.x router/router 99228: Apr 25 22:54:23.474
>> UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on
>> GigabitEthernet1/0/1 (not full duplex), with switch FastEthernet0/1
>> (full
>> duplex).
>>
>> This is a raw event from the export. Notice that the second
>> timestamp forward is the actual message, which is CDP, so from a cisco
>> switch or some layer 2 device.
>>
>> The actual event from the cisco device should look like as follows,
>> which is what our parser is designed to work with:
>> Apr 25 22:54:23.474 UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch
>> discovered on GigabitEthernet1/0/1 (not full duplex), with switch
>> FastEthernet0/1 (full duplex).
>>
>> Another excerpt...
>>
>> I looked over the information you had uploaded already, and is
>> actually a common issue. When syslog events are forwarded from one
>> syslog
>> server to another syslog server, or pipe, or file, the forwarding
>> syslog
>> server prepends timestamp and other information, which makes the
>> message
>> unusable.
>>
>> We require syslog message to adhere to the standard RFC syslog
>> format for the connector to read them, and when forwarding syslog
>> messages
>> that is not the case and we are unable to support that configuration.
>>
>> So, the question is what to do about it. I apparently need to send
>> this
>> information on to the ArcSight server without the prepended data (the
>> "Apr
>> 25 22:54:24 x.x.x.x router/router 99228:" portion of the message from
>> the
>> first email excerpt), but I need to keep it in place for EVERY other
>> target
>> I am sending to. Can anyone tell me what are my options here, please?
>> Thanks a LOT in advance!!!
>>
>> (Bazsi, please feel free to chime in on this one! LOL)
>>
>> Chris Ivey
>>
>> Affiliated Computer Services
>> Enterprise Management Integration Services
>> Infrastructure Management Senior Analyst
>>
>> chris.ivey at acs-inc.com
>>
>
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
___________________________________________
The average person does a lot of work in the name of laziness!
Save youre self the effort by doing it right the first time.
Do it with free speech software.
More information about the syslog-ng
mailing list