Write a Syslog parser for devices that are not recognized by ArcSight
I need an help regarding a syslog smart connector for devices that are not recognized by ArcSight.
I have one syslog smart connector that receive events from four different devices. Two of theese devices are correctly recognized and supported by ArcSight, the other two are not supported from ArcSight and I want write a syslog parser for parse and categorize theese devices correctly.
The problem is that theese devices are recognized by ArcSight not as unknown devices but as different devices type. For example, one device is categorized as CISCO Router, and th other device are categorized as STONEGATE, but the devices are not either one.
I have wrote the flex parser in which I have inserted the regex expression that match correctly the device, but seem that this regex isn't never matched.
I have a doubt, how the "smart connector syslog" work if receive events from a device that seem to be a well-known device but instead is a device that have only the events similar but insted is a different device. There is a option or workaround that permit me to tell at the smart connector ArcSight "Use my parser before you use the your default parser" ?
thanks in advance for the help.
You can specify which parsers to look for in the agent.properties file.
change these lines:
to something like this:
That will tell it to look at only the sourcefire_syslog subagent, so whatever subagent it's matching erroneously won't be matched.
thanks a lot for your quickly answer.
I have modified my agent.properties as You have told me in your previous post but I'm still not able to parse the events that are coming.
I have noticed that my custom subagent is not mentioned in the agent.log, during the startup of the smart connector. I have placed my subagent file in this directory :
and I have called the file :
I have modified the syslog agent in this mode :
I have done all the steps correctly and then the problem is in the subagent file (for example bad regex for the parser) or I have done other errors ?
Thanks in advance for you support.
I wouldn't delete all that subagent list, especially if the connector you installed is in use by several devices; that configuration change will affect all the parsing of all the devices that report to it.
I'd first check for Regex errors in the parser, after I am sure that the parser is working accuretly (I suggest you add .* at the start and the end of the regex). Secondly, check the syslog.conf file, locate the IP of the reporting devices that you have issues with and delete the string that correspondes to them.
Please report your results. find that most of the errors with syslog flex are with the regex.
did you solve this?
Your approach is right, if no other syslog messages are received by that connector, but you can't just put your flexconnector into that list. That won't work.
There is an entry at the end of this list named something like flexagent or so. That is the component in which your flexconnector runs.
So your custumsubagentlist would look similar to
I don't remember the exact wording but you can find it in a default agent,properties file.
The story gets more difficult if you do have stonesoft and cisco devices sending to the same daemon. In that case you would need to change the parser order, and that is very tricky.