Syslog Connector question - Two part question

This is a two part question:

Part 1 -

I need to send syslog output from SPLUNKs syslog version of 3164 (bsd syslog) to the ArcSight syslog connector so I need to find out the RFC Syslog format that the ArcSight Syslog connector is using and find out if there will be any compatibility issues with that?

If the ArcSight connector uses 5424 Syslog format, does it accept the 3164 bsd syslog format from another device ? Is there backwards compatibility or not? thanks

-----------------------------------------------------------

Part 2 -

If this is a viable solution, then I would like to know what would be the correct choice in this case:

What is better for the ArcSight syslog connector in this scenario, syslog pipe or a syslog file?

Does it matter which one you use? Any help would be really appreciated. Thanks

Parents
  • Well, now you're talking custom connectors, which is pretty situation independent.  I actually am not sure what kind of events you're sending, so I couldn't just post a snippet of what we have.

    For some connectors, we do use the regex connector, but each of the feeds may have their own sdk file.  Most of the time, when we are getting the feed from Splunk, it requires us to customize it. 

    I realize that isn't a lot of help, but without knowing what your messages look like, I can't add much.

Reply
  • Well, now you're talking custom connectors, which is pretty situation independent.  I actually am not sure what kind of events you're sending, so I couldn't just post a snippet of what we have.

    For some connectors, we do use the regex connector, but each of the feeds may have their own sdk file.  Most of the time, when we are getting the feed from Splunk, it requires us to customize it. 

    I realize that isn't a lot of help, but without knowing what your messages look like, I can't add much.

Children
No Data