Highlighted
Captain Captain
Captain
917 views

Syslogserver Message Forwarded from...

Hello,

We have set up a central log server for multiple AIX servers. Events are getting forwarded to the central system, and the central system is sending the information towards the ArcSight Syslog connector. Everything looks great, except for 1 thing.

Due to the fact that the events are forwarded, events are giving the value "Message forwarded from Server1.domain.local: <message>".  Every field is being filled up the correct way, except for the device hostname. here the server name of our Logserver is being set instead of the hostname in the event.

I thought setting the value "forwarded" on the smartconnector would help, but when doing that, the whole parsing will fail.

Does anyone have experience with this issue?

Roy    

Labels (1)
0 Likes
2 Replies
Highlighted
Captain Captain
Captain

Found the solution:
The documentation of the IBM AIX Audit syslog config stated the following:

You can manage parsing of custom AIX-specific forwarding prefixes by adding properties to the agent.properties file (located at $ARCSIGHT_HOME\current\user\agent). These properties can be found in the agent.default.properties file (located at: $ARCSIGHT_HOME\current\config\agent).

The following property controls whether custom AIX-specific forwarding prefixes and facility.priority portions of the headers are removed. This property is disabled (set to 'false') by default. To remove the "forwarding message" phrase, change the value to 'true', as shown below. Note that setting this value to 'true' may cause some performance degradation.

syslog.aix.enabled=true

The following property is used to strip out the prefix that AIX adds when it forwards a syslog message to another host: syslog.aix.forwarded.prefixes=Message forwarded from,Forwarded from syslog.aix.forwarded.prefixes.delimiter=,         

So by adding those fields to the connector it  was fixed!.

0 Likes
Highlighted
Commodore
Commodore

Hi Roy

I am looking at the same problem.

the raw syslog looks like this: "<38>Jan 26 15:44:02 Message forwarded from xxxxx: syslog: ssh: failed login attempt for yyy"

With the agent.properties setting

syslog.aix.enabled=true

syslog.aix.forwarded.prefixes=Message forwarded from,Forwarded from

syslog.aix.forwarded.prefixes.delimiter=,

It now gets the correct device host name, but the message is not being parsed correct.

sshd[12320942]: vasaix: Authentication <failed> for <Active Directory> user: <xxxxx> account: <xxxxx@res.yyy.dk> service: <AIX LAM> reason: <invalid password>

The sshd should have been parsed to device Process Name

If I change the

syslog.aix.forwarded.prefixes.delimiter=, to syslog.aix.forwarded.prefixes.delimiter=:

The device Host Name is now set to "Message" and the device process Name is correct and the Name is now also correct, but all my AIX machines has now the same Host Name. Not good.

Have you seen the same or is it working fine for you?

/Per

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.