Absent Member.
Absent Member.
1069 views

Fields are showing as blank and some CEF fields aren't parsed

I'm feeding the syslog output from a server of mine into Logger.  Logger is able to recognize the header fields of the CEF message but when viewed in the over view the value that it show is blank.

I can search based on the CEF fields on the left.

Screen Shot 2013-04-04 at 4.35.28 PM.png

The raw log looks like this:

RAW   <>  [] [] ||||||

I can't say I know where the <153> came from, this is being forwarded by syslogd on Mac OS 10.8 to a a CEF UDP receiver in ArcSight Logger.  That <153> doesn't appear in the local log file.



Labels (2)
Tags (3)
8 Replies
Micro Focus Expert
Micro Focus Expert

Try adding a CEF UDP Receiver and using that instead of a UDP Receiver.


0 Likes
Absent Member.
Absent Member.

Woops, I meant to say it's going into a CEF UDP receiver.  I also tried a regular UDP receiver and it was the same.

0 Likes
Micro Focus Expert
Micro Focus Expert

This looks like there is a CEF event that is being forwarded by a SYSLOG forwarder. The reason I say this is because there is a SYSLOG header on the event (<153> is a tag of priority and facility).

The CEF fields are no longer CEF fields but are now the contents of a SYSLOG message that has been forwarded. The CEF fields are blank.

Basically, CEF messages should be sent directly to a Logger CEF receiver, not through a Syslog forwarder.

Absent Member.
Absent Member.

Ok, this sort of makes sense, but is contradictory to the documentation which states that CEF uses syslog as a transport mechanism and that CEF messages are comprised oif a syslog prefix, a header and an extension.  The on difference is the example doesn't have the tag for priority and facility.

This also indicates to me that Logger is unable to act as a syslog receiver.

0 Likes
Absent Member.
Absent Member.

There are an explicit set of fields required in the CEF header - it seems possibly Signature ID or Name is missing?

CEF:Version|Device Vendor|Device Product|Device Version|Signature|Name|Severity|Extension

||||||

HTH

Absent Member.
Absent Member.

Rafeek,

Were you ever able to to find a solution to this?

0 Likes
Absent Member.
Absent Member.

Hi Rafeek,

In the logger query, only the deviceGroup is being satisfied in the search results, not the deviceEventClassId - you can see that field is empty in the row returned.  This means the event was not parsed.

There are nine required CEF header fields and I think there are only seven defined in the event above.  Can you modify your CEF header definition and see what you get for parsing after that?

Cheers

Absent Member.
Absent Member.

Yes, this was the original problem, I noticed it and fixed it just as you sent your first response and it works correctly now.

Thank you!

(now to figure out how to mark this thread as answered, if possible)

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.