Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
nils.guenther@t Honored Contributor.
Honored Contributor.
568 views

Syslog NG connector: How to access syslog structured data?

Hi all,

On a Syslog NG connector I am getting Warnings: This Syslog NG message has structured data [...] This will be mapped to event.domainString1

How would I access that data? In the console I do not have that field and it does not seem to be additional data either.

Thanks in advance Nils

 

0 Likes
5 Replies
Highlighted
nils.guenther@t Honored Contributor.
Honored Contributor.

Re: Syslog NG connector: How to access syslog structured data?

Sorry to push this. I still haven't found anythin regarding strucutred data and domainfield1. As this might not be resolvable, could someone please provide me with information on how to disable the warnings in agent.log? I'm getting a warning vor each single message and only this puts heavy load on my connector (not to mention that it renders the agent.log useless)

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Syslog NG connector: How to access syslog structured data?

Hello,

1) Path for default SmartConnector settings:
<connector_home>/current/config/agent/agent.defaults.properties

2) There you have:
# The loglevel for the default package. Anything with a level >= the one
# specified will be logged.
# 0 = Debug, 1 = Info, 2 = Warn, 3 = Error, 4 = Fatal
log.channel.file.property.package.com.arcsight=1

3) Add this to "agent.properties" with new loglevel (replace "X" with some other number) and restart SmartConnector:
<connector_home>/current/user/agent/agent.properties

#Change default loglevel
#log.channel.file.property.package.com.arcsight=1
log.channel.file.property.package.com.arcsight=X

4) I did not test this but you can try, as logs give insight what is happening and I needed if at some moment Service Request is needed in future.

Regards,

Marijo

0 Likes
nils.guenther@t Honored Contributor.
Honored Contributor.

Re: Syslog NG connector: How to access syslog structured data?

Hi Marjo,

thanks for the reply. Your suggested setting would influence global log level. I just want to get rid of the structured data warnings. So I tried to add the specific package which I'd like to silence (neither of each worked):

log.channel.file.property.package.default.com.arcsight.agent.dp.f=3

log.channel.file.property.package.com.arcsight.agent.dp.f=3

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Syslog NG connector: How to access syslog structured data?

Hello,

please add following to agent.properties (restart SmartConnector after the change) and let me know if you see the messages in agent.log anymore:
#syslogng.header.tag= APPNAME PROCID MSGID STRUCTURED_DATA MESSAGE
#syslogng.header.tag=(?s)^(\\S+)\\s+(\\S+)\\s+(\\S+)\\s+(-|(?:\\[\\S+@[^\\]]+\\])+)\\s+(.*)
syslogng.header.tag=(?s)^(\\S+)\\s+(\\S+)\\s+(\\S+)\\s+(-|(?\:\\[\\S+@?[^\\]]\\]))s+(.*)

Regards,

Marijo

0 Likes
nils.guenther@t Honored Contributor.
Honored Contributor.

Re: Syslog NG connector: How to access syslog structured data?

Hi Marijo,

allow me some questions about this regex, specifically the part +(-|(?\:\\[\\S+@?[^\\]]\\]))s

Is the single backslash before the colon intentional?

Is the mathing of a literal "s" intentional?

Could you elaborate a bit on the intention of the new regex? I can't quite get it.

Thanks in advance, Nils

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.