ArcSight Discussions
cancel

Trouble with a Syslog Subparser for ArcMC events

Highlighted
CMeyer Trusted Contributor..
Trusted Contributor..

Trouble with a Syslog Subparser for ArcMC events

Hello everybody,

We are using ArgSight Management Center Ver. 2.7.1.2065.0 and recently installed a 7.7.0 Syslog Daemon for Audit Forwarding. We created some rules in the ArcMc, i.e. when no EPS are coming in or going out to trigger an event. We are also able to see this event BUT it looks aweful. All needed informations are stored in the message field.

So we tought the best solution would be to great a subparser or a regex subparser override which use regex on the message field content.

Long story short, at the moment both are not working, our files will be ignored and the Syslog process the events like before.

Did one of you faced the same issue? We do not understand why there is no subparser from HP/Microfocus for their own events. I.e. the severity we are able to select for our ArcMC rules will be overwriten.

 

1 REPLY
Marius Honored Contributor.
Honored Contributor.

Re: Trouble with a Syslog Subparser for ArcMC events

Events forwarded should normally be going out as CEF, so no real parsing is needed except the default syslog (which will recognize it as CEF).

Did you configure the connector as per the admin guide? It should be on page 232, also with a note:

Note: If ArcSight Management Center has been installed by a root user, the syslog connector
should also be configured under the root user.
If the installation was by a non-root user, the syslog connector should be configured under the
non-root user.

I have seen several similar issues before if this has been ignored.

Key Links
 

GDPR goes into effect on 25 May 2018!

We have created a 9-webinar series, (1 overview webinar and 8 use-cases) aligned to the ‘five critical technology capabilities for GDPR compliance scenarios’ as set out by PwC. Find more details and links here!

  Accidental non-compliance could be costly!

Top Contributors Last 30 Days