Barnyard Syslog subagent parser


So we had need of a Barnyard smartconnector.  Unfortunately, the SC that comes with ArcSight is only compatible with version .2 of Barnyard and we are using 2.1.13 which apparently is different enough that nothing was getting parsed.

So after multiple attempts to change Barnyard itself, (including changing its output to CEF, which didn't work for reasons I'll get into later), I decided to write a flexconnector for the new Barnyard.  I created both a pure flexconnector and a syslog subagent.

Some caveats:

1.  Both of these need a catchall at the end.  I will probably add that in a few days, thanks to ops tempo, I need to move on for now:

# catch all




2.  Additional parsing for more details could provide better information in ArcSight.  For example, some more granularity regarding the categoryDeviceGroup equaling only /IDS.

Some of the posts where I got great help from the community are below.

(NOTE:  While Barnyard had an option to output to CEF, for some reason it had

CEF:Version|Device Vendor|Device Product|Device Version.Signature ID|Name|Severity|[Extension]

notice the '.' between Device Version and Signature ID which threw off Name, Severity and many of the extensions.)

Comment List