ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Absent Member.
Absent Member.
3041 views

Write a Syslog parser for devices that are not recognized by ArcSight

Hi all,

I need an help regarding a syslog smart connector for devices that are not recognized by ArcSight.

I have one syslog smart connector that receive events from four different devices. Two of theese devices are correctly recognized and supported by ArcSight, the other two are not supported from ArcSight and I want write a syslog parser for parse and categorize theese devices correctly.

The problem is that theese devices are recognized by ArcSight not as unknown devices but as different devices type. For example, one device is categorized as CISCO Router, and th other device are categorized as STONEGATE, but the devices are not either one.

I have wrote the flex parser in which I have inserted the regex expression that match correctly the device, but seem that this regex isn't never matched.

I have a doubt, how the "smart connector syslog" work if receive events from a device that seem to be a well-known device but instead is a device that have only the events similar but insted is a different device. There is a option or workaround that permit me to tell at the smart connector ArcSight "Use my parser before you use the your default parser" ?

thanks in advance for the help.

Hi.

Labels (2)
0 Likes
5 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

You can specify which parsers to look for in the agent.properties file.

change these lines:

agents[0].customsubagentlist=ciscopix_syslog|netscreen_syslog|cyberguard_syslog|niksun_syslog|sourcefire_syslog|intrushield_syslog|ciscovpnios_syslog|sonicwall_syslog|apache_syslog|netscreen_idp_syslog|ciscovpnnoios_syslog|attackmitigator_syslog|rsaace_syslog|ciscoaironet_syslog|ciscorouter_syslog|nortelvpn_syslog|pf_syslog|coreguard_syslog|watchguard_syslog|fortigate_syslog|peakflow_syslog|honeyd_syslog|neoteris_syslog|prosafe_syslog|trushield_syslog|alcatel_syslog|extreme_syslog|tippingpoint_syslog|nokiasecurityplatform_syslog|whatsup_syslog|airdefense_syslog|stealthwatch_syslog|nsm_syslog|nagios_syslog|netcontinuum_syslog|cef_syslog|tlattackmitigator_ng_syslog|airmagnet_enterprise_syslog|manhunt_syslog|m40e_aspic_syslog|ironmail_syslog|ciscorouter_nonios_syslog|ingrian_syslog|nitrosecurity_syslog|junipernetscreenvpn_syslog|catos_syslog|ciscoworks_syslog|ipolicy_syslog|symantecnetworksecurity_syslog|bigiron_syslog|type80_syslog|miragecounterpoint_syslog|newbury_syslog|packetalarm_syslog|cyberguard6_syslog|neowatcher_syslog|netkeeper_syslog|snare_syslog|ntsyslog_syslog|f5bigip_syslog|sms_syslog|ciscocss_syslog|barracuda_spamfw_syslog|radware_defensepro_syslog|barracuda_spamfw_ng_syslog|bluecoatsg_syslog|peakflowx_syslog|aruba_syslog|mcafeesig_syslog|stonegate_syslog|ciscosecureacs_syslog|tripwire_enterprise_syslog|datagram_iis_syslog|oracle_audit_syslog|sms7x_syslog|messagegate_syslog|cyberguard52_syslog|symantecendpointprotection_syslog|cisco_mse|junipernetscreenvpn_6x_syslog|netscreen_idp5_syslog|bsm_syslog|junipernetscreenvpn_keyvalue_syslog|citrix_syslog|linux_auditd_syslog|netappfiler_syslog|vmwareesx_syslog|junos_syslog|ironport_text_file|ironport_http_file|sidewinder_syslog|gauntlet_syslog|flexagent_syslog|sendmail_syslog|nsm2009_syslog|ciscosecureacs51_syslog|generic_syslog

agents[0].usecustomsubagentlist=false

to something like this:

agents[0].customsubagentlist=sourcefire_syslog

agents[0].usecustomsubagentlist=true

That will tell it to look at only the sourcefire_syslog subagent, so whatever subagent it's matching erroneously won't be matched.

0 Likes
Absent Member.
Absent Member.

Hi chrisb,

thanks a lot for your quickly answer.


I have modified my agent.properties as You have told me in your previous  post but I'm still not able to parse the events that are coming.

I have noticed that my custom subagent is not mentioned in the  agent.log, during the startup of the smart connector. I have placed my  subagent file in this directory :


/opt/ArcSightSmartConnectors/syslog/current/user/agent/flexagent/syslog/


and I have called the file :

astaro.subagent.sdkrfilereader.properties

I have modified the syslog agent in this mode :


agents[0].customsubagentlist=astaro_syslog
agents[0].usecustomsubagentlist=true

I have done all the steps correctly and then the problem is in  the subagent file (for example bad regex for the parser) or I have done  other errors ?

Thanks in advance for you support.
Best regards,
S.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi Pippo,

I wouldn't delete all that subagent list, especially if the connector you installed is in use by several devices; that configuration change will affect all the parsing of all the devices that report to it.

I'd first check for Regex errors in the parser, after I am sure that the parser is working accuretly (I suggest you add .* at the start and the end of the regex). Secondly, check the syslog.conf file, locate the IP of the reporting devices that you have issues with and delete the string that correspondes to them.

Please report your results.  find that most of the errors with syslog flex are with the regex.

Best regards,

Ilia

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

did you solve this?

Your approach is right, if no other syslog messages are received by that connector, but you can't just put your flexconnector into that list. That won't work.

There is an entry at the end of this list named something like flexagent or so. That is the component in which your flexconnector runs.

So your custumsubagentlist would look similar to

agents[0].customsubagentlist=flexagent

I don't remember the exact wording but you can find it in a default agent,properties file.

The story gets more difficult if you do have stonesoft and cisco devices sending to the same daemon. In that case you would need to change the parser order, and that is very tricky.

-Till

0 Likes
Absent Member.
Absent Member.

Hi Till,

thanks I have resolved it, I have forgot to modify the "usecustumsubagentlist" option 😉

P.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.