Syslogserver Message Forwarded from...
We have set up a central log server for multiple AIX servers. Events are getting forwarded to the central system, and the central system is sending the information towards the ArcSight Syslog connector. Everything looks great, except for 1 thing.
Due to the fact that the events are forwarded, events are giving the value "Message forwarded from Server1.domain.local: <message>". Every field is being filled up the correct way, except for the device hostname. here the server name of our Logserver is being set instead of the hostname in the event.
I thought setting the value "forwarded" on the smartconnector would help, but when doing that, the whole parsing will fail.
Does anyone have experience with this issue?
Found the solution:
The documentation of the IBM AIX Audit syslog config stated the following:
You can manage parsing of custom AIX-specific forwarding prefixes by adding properties to the agent.properties file (located at $ARCSIGHT_HOME\current\user\agent). These properties can be found in the agent.default.properties file (located at: $ARCSIGHT_HOME\current\config\agent).
The following property controls whether custom AIX-specific forwarding prefixes and facility.priority portions of the headers are removed. This property is disabled (set to 'false') by default. To remove the "forwarding message" phrase, change the value to 'true', as shown below. Note that setting this value to 'true' may cause some performance degradation.
The following property is used to strip out the prefix that AIX adds when it forwards a syslog message to another host: syslog.aix.forwarded.prefixes=Message forwarded from,Forwarded from syslog.aix.forwarded.prefixes.delimiter=,
So by adding those fields to the connector it was fixed!.
I am looking at the same problem.
the raw syslog looks like this: "<38>Jan 26 15:44:02 Message forwarded from xxxxx: syslog: ssh: failed login attempt for yyy"
With the agent.properties setting
syslog.aix.forwarded.prefixes=Message forwarded from,Forwarded from
It now gets the correct device host name, but the message is not being parsed correct.
sshd: vasaix: Authentication <failed> for <Active Directory> user: <xxxxx> account: <firstname.lastname@example.org> service: <AIX LAM> reason: <invalid password>
The sshd should have been parsed to device Process Name
If I change the
syslog.aix.forwarded.prefixes.delimiter=, to syslog.aix.forwarded.prefixes.delimiter=:
The device Host Name is now set to "Message" and the device process Name is correct and the Name is now also correct, but all my AIX machines has now the same Host Name. Not good.
Have you seen the same or is it working fine for you?