Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Respected Contributor.. Fred Henrique Respected Contributor..
Respected Contributor..
533 views

Step by step - Parser syslog Logger

Jump to solution

Hello everyone,

I made a configuration to parse with my regex the logs syslog in ArcSight Logger, but the configuration didn't show me the modification that I did.

Parser:

\<\d+\>(?<TimeStamp_1>\S+ +\d+ \d+:\d+:\d+) (?<Word_1>\S+) \S+: (?<Word_3>\S+)\|\|\S+=\|\S+=(?<IPAddress_1>\d+\.\d+\.\d+\.\d+)\|\S+=(?<IPAddress_2>\d+\.\d+\.\d+\.\d+)\|\w+=(?<HostName_1>[^|]*)\|\w+=(?<Number_2>\d+)\|\w+=(?<Number_3>\d+)\|\w+=(?<Number_4>\d+)\|\w+=(?<Number_5>\d+)\|\w+=(?<Word_13>[^|]*)\|\w+=(?<Word_16>[^|]*)\|\w+=(?<Word_19>\w+)\|\w+=(?<Url_1>[^|]*)\|\w+=[^|]*\|\w+=\|\w+=\|\w+=(?<Number_6>\d+)\|\w+=[^|]*\|\w+=[^|]*\|\w+=[^|]*\|\w+=([^|]*)\|\w+=([^|]*)\|.*

Name: MWG-Teste

Source Types:

Name=MWG ; Description=McAfee Web Gateway; Parser=MWG-Teste

Receiver:

Name=McAfee Web Gateway; IP/Host=ALL; Port=9999; Encoding=UTF-8; Source Type=MWG; Enable=is checked

RAW EVENT:

<30>Apr 23 14:22:41 LANGOLANGO01 mwg: McAfeeWG||auth_user=|src_ip=10.10.10.12|server_ip=8.8.8.8|host=login.windows.net|url_port=443|status_code=200|bytes_from_client=2248|bytes_to_client=13408|categories=Software/Hardware|rep_level=Minimal Risk|method=CONNECT|url=https://login.windows.net|media_type=|application_name=|user_agent=|block_res=0|block_reason=|virus_name=|hash=|filename=|filesize=0|

Who can help me?

Remember: My device is ArcSight Logger Appliance, I don't are using the ArcSight SmartConnector; 

Thanks for your help.

0 Likes
1 Solution

Accepted Solutions
Highlighted
Community Manager COEST Community Manager
Community Manager

Re: Step by step - Parser syslog Logger

Jump to solution

Hello!

One of the reasons this post has not been answered yet may be that  your question and related issue are rather complex and will take some time to investigate. 

Since we do have a SmartConnector for that product, why don't you use it? Any technical or process reason for that?

Are you expecting the logger to parse the logs as they come in? 

This is possible, you can do it at ingestion, once you have defined a source type, you need to edit the receiver and set the source type for the receiver the logs are coming to. That may be causing your issue.

If this feedback does not help at all, please get in touch with our support team!

 

0 Likes
2 Replies
Highlighted
Community Manager COEST Community Manager
Community Manager

Re: Step by step - Parser syslog Logger

Jump to solution

Hello!

One of the reasons this post has not been answered yet may be that  your question and related issue are rather complex and will take some time to investigate. 

Since we do have a SmartConnector for that product, why don't you use it? Any technical or process reason for that?

Are you expecting the logger to parse the logs as they come in? 

This is possible, you can do it at ingestion, once you have defined a source type, you need to edit the receiver and set the source type for the receiver the logs are coming to. That may be causing your issue.

If this feedback does not help at all, please get in touch with our support team!

 

0 Likes
Respected Contributor.. Fred Henrique Respected Contributor..
Respected Contributor..

Re: Step by step - Parser syslog Logger

Jump to solution
Thanks for your information, I'll try the recommended solution. But I think that if the logger has the option of creating a specified log parser, it could work in a simpler and more correct way. But thank you anyway.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.