Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

Feature request - Smartconnector, send agent.log via syslog

Feature request - Smartconnector, send agent.log via syslog

Hi,

   Would be nice if the smart connector would be able to send his agent.log via syslog.

13 Comments
shotoz Respected Contributor.
Respected Contributor.

good idea !!!!

Honored Contributor.. DanyK7 Honored Contributor..
Honored Contributor..

The proverbial poorly shod shoemaker...

Not just the agent.log but the agent.out.wrapper.log too!

pernote Absent Member.
Absent Member.

And also logs from ESM, logger and ArcMC  

shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

While we are reviewing the feature request you may want to look at available options to do this using contributed scripts and content .

frankbijkersma Honored Contributor.
Honored Contributor.

You can do this with the tool WeAnalyze to an extent. As Agent.log is always written to, you can only do Agent.log.2 and others. So you will always be a little behind, depending on connector.  You will just need a script to cycle the files so you don't keep sending the same files.


It's been build. we have it running here, I'm not allowed to share it though. IMO it's not that useful. SmartConnectors generally already give a call when they have issues such as devices not logging or connector down.


Outstanding Contributor.. EricLamer Outstanding Contributor..
Outstanding Contributor..

I am building my own flexconnector

Micro Focus Expert
Micro Focus Expert

If you are going down the flexconnector route, I have one I wrote a while back for a customer for agent.log.  I just need to sanitize the data as I had sample events in it.  If you want this as a starting point, message me directly.   I used a WUC connector as the sample, so I don't claim it to be complete, but may prove to be a starting point. 

Super Contributor.. Carl_E Super Contributor..
Super Contributor..

To implement this properly, either the types of events that are logged to the agent.log and agent.out.wrapper.log would need to revised or there should be a way to select which events are forwarded by syslog.

There is a lot of useful information in the agent.log file but it often reminds me of a debug log.

Outstanding Contributor.. EricLamer Outstanding Contributor..
Outstanding Contributor..

Yes I am filtering events based on type and criticity.  If not there is way too many events in the agent.log.  Right now 1 connector appliance is generating around 500 eps but I am only forwarding 10 eps to ESM.

shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

I gave some thought to this feature request and decided to shelve it. This is a hack and not a feature. Now don't get me wrong - ArcSight is a great tool for hacking, and this is exactly the way to implement this - using a flex connector as described above. I would hope that we can build a community that would collectively build such a connector.

On the other hand, you may have a specific gap that requires such analysis of ArcSight log files. such specific issues might be very good ideas for a feature request.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.