Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
801 views

Citrix Web application Logs are not receiving in Arcsight

Dear all,

We used to receive Citrix WAF logs in Arcsight through syslog. But after the upgrade of Citrix WAF from 10.1 to 11.1,No Logs are receiving in Arcsight . As we checked the agent logs, We found a Signature Mismatch events  as shown below

ContentInputStreamOverrides[1]=10/31/16 1:18 AM: [E:\ArcSight\ArcSightSmartConnectors\NewSyslogJune2014\current\user\agent\fcp\citrixnetscaler_syslog\citrixnetscaler_syslog.subagent.sdkrfilereader.properties] augments [citrixnetscaler_syslog\citrixnetscaler_syslog.subagent.sdkrfilereader.properties] for AUP type [fcp] -- Signature Mismatch!}

Also we checked this with WAF admin team, They said thay can see the packets going out of citrix

Please assist us to fix this issue .

Labels (4)
0 Likes
3 Replies
Commodore Commodore
Commodore

I've seen the same error, "Signature Mismatch!", on the "DNS Trace Log" smart connector. Don't know the root cause or fix...but just adding this observation and hoping someone can answer.

0 Likes
Admiral
Admiral

It sounds like there was a parser override previously applied to this connector and you are now trying to upgrade the connector, is this the case? If yes, you have 2 options.

1. Remove the parser override and run the upgrade

or

2. remove the following line from the parser override -> prop.sign.ver.date (after the upgrade is applied, and the connector is started the override will then be re-added and a new prop.sign.ver.date will be added.

Hope this helps

Cheers
Lar

0 Likes
Commodore Commodore
Commodore

Looks like your suggestion worked.

Although, I must add, the change that needed to be made is quite hidden in the comments of the file \current\user\agent\fcp\dns_tracelog_file\dns_tracelog_file.sdkrfilereader.properties.

To be specific, after stopping the connector, I changed the last lines of this file:

From:

# Signature from base properties file in effect when this override file was first seen:

prop.sign.ver.date=978E0305F1CA5E38BC02A8B846A871552A43101FD0A59B4473BB0971581B8048|8|2014-11-09 06:57:17 PST

# Remove the prop.sign.ver.date property if this override file is known to work correctly

# with an updated base properties file (the new signature will be added automatically)

To:

# Signature from base properties file in effect when this override file was first seen:

# Remove the prop.sign.ver.date property if this override file is known to work correctly

# with an updated base properties file (the new signature will be added automatically)

(I removed  "prop.sign.ver.date=978E0305F1CA5E38BC02A8B846A871552A43101FD0A59B4473BB0971581B8048|8|2014-11-09 06:57:17 PST" that was buried in the comments.)

Then I started the connector. A new signature was automatically-added to "prop.sign.ver.date". No more "Signature Mismatch!" errors in agent.log.

Thanks for your help!

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.