NOTICE: Branded Content
NOTICE: Certain versions of content (“Material”) accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.
ArcSight User Discussions
cancel

Trouble with a Syslog Subparser for ArcMC events

Highlighted
CMeyer Trusted Contributor.
Trusted Contributor.

Trouble with a Syslog Subparser for ArcMC events

Hello everybody,

We are using ArgSight Management Center Ver. 2.7.1.2065.0 and recently installed a 7.7.0 Syslog Daemon for Audit Forwarding. We created some rules in the ArcMc, i.e. when no EPS are coming in or going out to trigger an event. We are also able to see this event BUT it looks aweful. All needed informations are stored in the message field.

So we tought the best solution would be to great a subparser or a regex subparser override which use regex on the message field content.

Long story short, at the moment both are not working, our files will be ignored and the Syslog process the events like before.

Did one of you faced the same issue? We do not understand why there is no subparser from HP/Microfocus for their own events. I.e. the severity we are able to select for our ArcMC rules will be overwriten.

 

2 REPLIES
Knowledge Partner
Knowledge Partner

Re: Trouble with a Syslog Subparser for ArcMC events

Events forwarded should normally be going out as CEF, so no real parsing is needed except the default syslog (which will recognize it as CEF).

Did you configure the connector as per the admin guide? It should be on page 232, also with a note:

Note: If ArcSight Management Center has been installed by a root user, the syslog connector
should also be configured under the root user.
If the installation was by a non-root user, the syslog connector should be configured under the
non-root user.

I have seen several similar issues before if this has been ignored.

CMeyer Trusted Contributor.
Trusted Contributor.

Re: Trouble with a Syslog Subparser for ArcMC events

Hi Marius,

we saw this recommendation this and tried to install it with user arcsight, but then we were not able to choose the recommended folder.

The support told us that the subparser file was read, but in the ESM the events does not contain our test string in the custom string 1 field.

Did we need to add our subparser to the agents[0].customsubagentlist= field?

The part that frustrates us the most, is that we receive events from thr ArcMC Syslog agent that were parsed fine by default, i.e. CPU Usage, Number or apache Connections or Platform Memory Usage events.

Only the ArcMC rule events are a mess, since every information is combined in the name field.

And all events are in CEF format. So HP/MF create a feature (the rules in ArcMC) and forgot to adjust the parser.

Key Links

Micro Focus is looking for research study participants to help us improve our website. Tell us what you think, and in exchange for your time we'll send you a small thank-you, like a gift card. Sign up or learn more 

Top Contributors Last 30 Days