ArcSight Ideas - TEMPORARILY CLOSED
cancel

Feature request - Smartconnector, send agent.log via syslog

Hi,

   Would be nice if the smart connector would be able to send his agent.log via syslog.

13 Comments
Respected Contributor.

good idea !!!!

Honored Contributor..

The proverbial poorly shod shoemaker...

Not just the agent.log but the agent.out.wrapper.log too!

Absent Member.

And also logs from ESM, logger and ArcMC  

Acclaimed Contributor.

While we are reviewing the feature request you may want to look at available options to do this using contributed scripts and content .

Honored Contributor.

You can do this with the tool WeAnalyze to an extent. As Agent.log is always written to, you can only do Agent.log.2 and others. So you will always be a little behind, depending on connector.  You will just need a script to cycle the files so you don't keep sending the same files.


It's been build. we have it running here, I'm not allowed to share it though. IMO it's not that useful. SmartConnectors generally already give a call when they have issues such as devices not logging or connector down.


Outstanding Contributor..

I am building my own flexconnector

Micro Focus Expert

If you are going down the flexconnector route, I have one I wrote a while back for a customer for agent.log.  I just need to sanitize the data as I had sample events in it.  If you want this as a starting point, message me directly.   I used a WUC connector as the sample, so I don't claim it to be complete, but may prove to be a starting point. 

Super Contributor.

To implement this properly, either the types of events that are logged to the agent.log and agent.out.wrapper.log would need to revised or there should be a way to select which events are forwarded by syslog.

There is a lot of useful information in the agent.log file but it often reminds me of a debug log.

Outstanding Contributor..

Yes I am filtering events based on type and criticity.  If not there is way too many events in the agent.log.  Right now 1 connector appliance is generating around 500 eps but I am only forwarding 10 eps to ESM.

Acclaimed Contributor.

I gave some thought to this feature request and decided to shelve it. This is a hack and not a feature. Now don't get me wrong - ArcSight is a great tool for hacking, and this is exactly the way to implement this - using a flex connector as described above. I would hope that we can build a community that would collectively build such a connector.

On the other hand, you may have a specific gap that requires such analysis of ArcSight log files. such specific issues might be very good ideas for a feature request.