Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
subindbabu Honored Contributor.
Honored Contributor.
669 views

What is the Role of syslog.properties file is a syslog Connector ?

Hi all Experts,

First of all , thank you so much for giving such a good opportunity.

I need to know how the connector is selecting correct parser file for a device integrated with syslog connector and what is the role of syslog.properties file in that ?

--SUBIN--

SUBIN D BABU
Security Solutions
Paladion
Labels (1)
0 Likes
5 Replies

Re: What is the Role of syslog.properties file is a syslog Connector ?

Hi SUBIN,

syslog.properties is the file the connector uses as it parses each event type to keep track of what parser to use for that device from then on. If events were parsing with incorrect Device Vendor/Product prior to the override, delete the syslog.properties file before restarting connector. It will be re-created when connector is restarted.

Regards,

Victor Yu

0 Likes
subindbabu Honored Contributor.
Honored Contributor.

Re: What is the Role of syslog.properties file is a syslog Connector ?

Hi Victor,

Thank you for your reply.

Suppose i have one Device X and two inbuilt syslog connector parser A and B, where using A and B the logs are parsing successfully . In that A is Correctly parsing and B is incorrectly parsing.

When the X is pushing the logs and reaching to connector, and the Connector is taken the parser file as B which is not correctly parsing. In syslog.properties files i can see the entry as X is taken parser B.

So my question is , If i am editing the syslog.properties file as X is taken parser A.--Does it works ?

--SUBIN--

SUBIN D BABU
Security Solutions
Paladion
0 Likes

Re: What is the Role of syslog.properties file is a syslog Connector ?

Hi SUBIN,

syslog.properties file is SmartConnector framework generated. It's not a user configurable file. If SmartConnector picked a incorrect parser for any given device, check your 'customsubagentlist' in agent.properties file.

Regards,

Victor Yu

0 Likes
Highlighted
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: What is the Role of syslog.properties file is a syslog Connector ?

The way that parsing works is that the separate syslog parsers are compiled into a single decision tree. This is true for the built in parsers as well as any custom FlexConnectors. Each connector type / log source type is a separate connector file but this is NOT in the syslog properties files. For in-built parsers, they are actually obfuscated and not available for direct access - the reason is that other competitors and vendors will just steal them if we didnt do some level of protection. So while it might look like one parser, a syslog parser has around 70+ parser files in it.

So when you start a syslog parser, it reads all of these parser files and compiles them into a single decision tree in memory. Its this decision tree that is used to process the event messages - when it gets a positive match on a parser, it will then track that log source (IP or hostname) and the parser type for later processing, so we dont need to do the decision tree each and every time. As we receive data, the decision tree is used to build up a map of which source needs which parser.

Therefore, if you are having one source that is parsing correctly, it is getting processed correctly by the decision tree. If the second source ISNT getting processed correctly then this is an issue with that parser - NOT the syslog properties file. You need to fix that parser in question rather than anything else and there is no configuration needed to lock a source to a parser file.

If its a FlexConnector, you need to make sure the parsing process is set correctly. If you have no FlexConnector defined, I would recommend that you go through the process of doing this. But remember the decision tree builds the mapping out - and your processing must be 100% accurate - match the format of the syslog message EXACTLY. If not, it will usually get picked up by the generic Unix parser which just processed the simple fields. This is why you end up with the fields of name usually filled with data....

subindbabu Honored Contributor.
Honored Contributor.

Re: What is the Role of syslog.properties file is a syslog Connector ?

Thank you paul

SUBIN D BABU
Security Solutions
Paladion
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.