Fields are showing as blank and some CEF fields aren't parsed
I'm feeding the syslog output from a server of mine into Logger. Logger is able to recognize the header fields of the CEF message but when viewed in the over view the value that it show is blank.
I can search based on the CEF fields on the left.
The raw log looks like this:
I can't say I know where the <153> came from, this is being forwarded by syslogd on Mac OS 10.8 to a a CEF UDP receiver in ArcSight Logger. That <153> doesn't appear in the local log file.
This looks like there is a CEF event that is being forwarded by a SYSLOG forwarder. The reason I say this is because there is a SYSLOG header on the event (<153> is a tag of priority and facility).
The CEF fields are no longer CEF fields but are now the contents of a SYSLOG message that has been forwarded. The CEF fields are blank.
Basically, CEF messages should be sent directly to a Logger CEF receiver, not through a Syslog forwarder.
Ok, this sort of makes sense, but is contradictory to the documentation which states that CEF uses syslog as a transport mechanism and that CEF messages are comprised oif a syslog prefix, a header and an extension. The on difference is the example doesn't have the tag for priority and facility.
This also indicates to me that Logger is unable to act as a syslog receiver.
There are an explicit set of fields required in the CEF header - it seems possibly Signature ID or Name is missing?
CEF:Version|Device Vendor|Device Product|Device Version|Signature|Name|Severity|Extension
In the logger query, only the deviceGroup is being satisfied in the search results, not the deviceEventClassId - you can see that field is empty in the row returned. This means the event was not parsed.
There are nine required CEF header fields and I think there are only seven defined in the event above. Can you modify your CEF header definition and see what you get for parsing after that?
Yes, this was the original problem, I noticed it and fixed it just as you sent your first response and it works correctly now.
(now to figure out how to mark this thread as answered, if possible)