Super Contributor.. MickyM Super Contributor..
Super Contributor..
474 views

Assistance with new Logger implementation

Hi

I'm a newbie to Logger and are implementing it for the first time, my experiance is mainly with the Ops Bridge and Network Management products. I have some basic architecural questions with Logger and integrations into OBA and other products.

We have set up Logger and bascially its receiving and processing raw syslog events from thousands of network devices, comprised of dozens of vendors. No connectors or CEF involved at the moment. We have found that when integerating into any other product, e.g OBA (opsa), OMi or NNMi the integrations do not work as Logger is not forwarding out events as CEF, only RAW format. I understood that using SmartConnectors was optional, but thought it was unncessary at that point in time.

In reading up on the documentation, I understand that we need to deploy SmartConnectors in between the device syslog and logger, to convert RAW syslog to CEF. Fair enough. However, what is mind boggling to me is that it seems SmartConnectors a vendor specific, so we need to deploy a SmartConnector per vendor e.g. Cisco IOS smart connector. The network large contains dozens of different vendors all sending syslog. So my questions are:

Do we need a SmartConnector per vendor to achieve this? I am assuming that means each device type will need to have their syslog re-configured?

Aside from developing customised Connectors for unsupported vendors, is there a generic Connector that converts to CEF? I have seen the "SmartConnector for Raw Syslog Daemon" but it doesn't mention CEF format.

In a large network with dozens of device vendors and thousands of device, how is this achieve? Surely we don't need to go off and install/develop dozens of connectors and reconfigure thousands of devices.

Thanks for your assistance!

Mick

0 Likes
5 Replies
ABader Super Contributor.
Super Contributor.

Re: Assistance with new Logger implementation

Hi Mick,

you can use one syslog connector for many different Vendors.

but normaly it makes sence to separate differnet Network or enviroments with differnet Connectors.

If you install one Syslog Connector the parsers for all other Syslog related Vendors (that are supported from Arcsight) are integrated.

If you have excotic Syslog devices you can add on Flex Sub parser to the Syslog connector.

Kind regards

Andreas

0 Likes
Super Contributor.. MickyM Super Contributor..
Super Contributor..

Re: Assistance with new Logger implementation

Hi Andreas

Thanks for the reply

I know it makes sense in what you're saying, but its a big task to reconfigure thousands of devices and deploy dozens of connectors, we need something in the interim.

Can you point me to the connector documentation we should be using? is it  "SmartConnector for Raw Syslog Daemon"? 

0 Likes
Highlighted
ABader Super Contributor.
Super Contributor.

Re: Assistance with new Logger implementation

Hi Mick,

you can use the Syslog NG Daemon.

You can use it in UDP;TCP or TLS mode if requried.

kind regards

Andreas

 

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Assistance with new Logger implementation

Hello,

this should get you going:

1) ArcSight Connectors Documentation:
https://community.softwaregrp.com/t5/ArcSight-Connectors/tkb-p/connector-documentation

Here you can find SmartConnector types to get idea what is supported and how to configure it.

2) General documentation link:
https://community.softwaregrp.com/t5/ArcSight-Product-Documentation/ct-p/productdocs

3) I would advise to read this for Logger, to avoid wrong implementation from start:
https://community.softwaregrp.com/t5/Logger/Logger-6-50-Best-Practices-Guide/ta-p/1619133

4) When you install SmartConnector, select Syslog Daemon and then later port/protocol. Later on you send Syslog events to this host where SmartConnector is running and listening on specific port/protocol. If the event is supported it will be parsed/normalized Out-Of-The-Box, if not you will have unparsed events (not normalized) or they may go under general Unix/Unix events for default Syslog parser.

5) If it is not supported Out-Of-The-Box you can make you own FlexConnector:
https://community.softwaregrp.com/t5/ArcSight-Connectors/HPE-ArcSight-FlexConnector-Developer-s-Guide/ta-p/1584874?nm

Regards,

Marijo

0 Likes
Super Contributor.. MickyM Super Contributor..
Super Contributor..

Re: Assistance with new Logger implementation

Marijo

Thanks for the detail. 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.