Highlighted
Outstanding Contributor.
Outstanding Contributor.
933 views

CEF-Parsing depends on source devices...How to reset?

Jump to solution

Hi there!

I have an issue sending CEF messages over syslog to a (generic) syslog deamon connector (version 6.0.6).

For one device host name (in the syslog header of the CEF message) the connector won't use the CEF message in it and just recognizes the event as a default-unreadable syslog.

But for other hosts the parsing works like a charm. Messages from new hosts getting parsed as well.

Via Telnet the mailfunction is reproducable.

For example this string

<28>Nov 25 14:00:34 host1 blabla[0123]: CEF:0|Vendor|Product|1.0|1234|Failed Login|5|cs1=LOW cs1Label=Severity cs3=INFO cs3Label=Classification cat=Self Monitoring msg=test

is getting parsed depending of the hostname (host1). Line 3 had the problematic host in the message. The other lines are from a well-known CEF-source and a new host:

Maybe it's a desired behavior to hard code the depending subagent to the known hosts.

But how can I reset the decision completely and/or for specific hosts?

Restarting the agent was not sufficient. Also any other command in the "Tech support" context.

Thanks for your help in advance!

Tobias

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Respected Contributor.
Respected Contributor.

Hello Tobias,

Have a look in the file syslog.properties in the current/user/agent/ directory. In there you need to search for the server that is providing the wrong combination. Either remove the entry or swap the order of the definitions of the parsers.

The file look odd, but it is just 1 very long line.

Regards,

Richard

View solution in original post

0 Likes
5 Replies
Highlighted
Absent Member.
Absent Member.

Could you include an example of the problematic message? Preferably, please post a txt file that you can send to the syslog collector via netcat and reproduce the issue.

One note off the top -  the CEF "standard" is poor in its definition, in that it doesn't formally define a syslog transport for messages. It gives a simple example, which resembles the default syslog file format for common daemons, but does not reflect the standard syslog wire-format. The standard also fails to specify handling of modern syslog header conventions like the multi-hop hostname chaining of Syslog-Ng.

Your example includes the syslog PRI header, as well as a tag component (blahbla[###]), which are excluded from the CEF standard documentation. They may (or may not) be problematic in practice.

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hi Mathew!

I'm using the quoted example above for testing. We get every CEF-via-syslog-Events like this. The component tag, the priority value and so on are irrelevant. Only the host name...

During my testing the connector reacts to any new host (in this example: "host1") like this:

But: If'm using a hostname that is already known by the connector (because of prior non-CEF-messages from this host) for a longer time, the output looks like this:

So I think after a while there is no more decision what subagent the connector has to use...he still uses syslog-forwarder.

Besides of reinstalling the agent...how can this be resetted?

br

Tobias

0 Likes
Highlighted
Absent Member.
Absent Member.

Ahh I see. I don't know if this can be reset, but could you instead use two Syslog agents on different ports? One agent to receive CEF and the other to receive the other formats? It's generally recommended to dedicate your syslog agents to one device type (sub-agent) to avoid this kind of misparsing issue.

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hello Tobias,

Have a look in the file syslog.properties in the current/user/agent/ directory. In there you need to search for the server that is providing the wrong combination. Either remove the entry or swap the order of the definitions of the parsers.

The file look odd, but it is just 1 very long line.

Regards,

Richard

View solution in original post

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Thanks Richard!

That's exactly what I was looking for.

For the record: On page 9 of the helpful Protect session "" it's also documented:

If incorrect Device Vendor/Product was set before, you must delete the ../current/user/agent/syslog.properties file (or at least remove the entry for that device from the file) before restarting the Connector.

Should be in the Connector configuration guide IMHO.

br and many thanks

Tobias

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.