UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
yubin6032
Absent Member.
Absent Member.
‎2016-11-03 08:57
804 views

Citrix Web application Logs are not receiving in Arcsight

Dear all,

We used to receive Citrix WAF logs in Arcsight through syslog. But after the upgrade of Citrix WAF from 10.1 to 11.1,No Logs are receiving in Arcsight . As we checked the agent logs, We found a Signature Mismatch events  as shown below

ContentInputStreamOverrides[1]=10/31/16 1:18 AM: [E:\ArcSight\ArcSightSmartConnectors\NewSyslogJune2014\current\user\agent\fcp\citrixnetscaler_syslog\citrixnetscaler_syslog.subagent.sdkrfilereader.properties] augments [citrixnetscaler_syslog\citrixnetscaler_syslog.subagent.sdkrfilereader.properties] for AUP type [fcp] -- Signature Mismatch!}

Also we checked this with WAF admin team, They said thay can see the packets going out of citrix

Please assist us to fix this issue .

Labels (4)
Labels
0 Likes
Reply
Report Inappropriate Content
3 Replies
siemops
Commodore Commodore
Commodore
‎2017-05-16 15:06

I've seen the same error, "Signature Mismatch!", on the "DNS Trace Log" smart connector. Don't know the root cause or fix...but just adding this observation and hoping someone can answer.

0 Likes
Reply
Report Inappropriate Content
Lar
Admiral
Admiral
‎2017-05-16 15:17

It sounds like there was a parser override previously applied to this connector and you are now trying to upgrade the connector, is this the case? If yes, you have 2 options.

1. Remove the parser override and run the upgrade

or

2. remove the following line from the parser override -> prop.sign.ver.date (after the upgrade is applied, and the connector is started the override will then be re-added and a new prop.sign.ver.date will be added.

Hope this helps

Cheers
Lar

0 Likes
Reply
Report Inappropriate Content
siemops
Commodore Commodore
Commodore
‎2017-05-16 16:14

Looks like your suggestion worked.

Although, I must add, the change that needed to be made is quite hidden in the comments of the file \current\user\agent\fcp\dns_tracelog_file\dns_tracelog_file.sdkrfilereader.properties.

To be specific, after stopping the connector, I changed the last lines of this file:

From:

# Signature from base properties file in effect when this override file was first seen:

prop.sign.ver.date=978E0305F1CA5E38BC02A8B846A871552A43101FD0A59B4473BB0971581B8048|8|2014-11-09 06:57:17 PST

# Remove the prop.sign.ver.date property if this override file is known to work correctly

# with an updated base properties file (the new signature will be added automatically)

To:

# Signature from base properties file in effect when this override file was first seen:

# Remove the prop.sign.ver.date property if this override file is known to work correctly

# with an updated base properties file (the new signature will be added automatically)

(I removed  "prop.sign.ver.date=978E0305F1CA5E38BC02A8B846A871552A43101FD0A59B4473BB0971581B8048|8|2014-11-09 06:57:17 PST" that was buried in the comments.)

Then I started the connector. A new signature was automatically-added to "prop.sign.ver.date". No more "Signature Mismatch!" errors in agent.log.

Thanks for your help!

Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.