Idea ID 2802086
Dear technical support and partner
This is Jason.
One of customer experience some abnormal event shows from ArcSight console which processed by syslog daemon connector which WAF device event connected
And they found abnormal event happen when there are Fragmented IP packet proccessed by connector.
If there are fragmented packet sent to syslog daemon from WAF device, the connector try to parsing all Fragmented packet which coming to connector server via udp.
I'd opened the case SD02678593, and there are answer for the WAF device have to review the setting.
I think the WAF device send the syslog too long more than 4,000 byte , and the network device dive the packet to smaller with fragmented.
But, at the connector side, the fragmented packet is just the target for parsing, because there are syslog header exist at fragmented packet too.
So, how about if there are fragmented packet coming to connector server , the smart connector ignore that for better event parsing.
thank you in advanced
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.