I have a fortiweb device. I need to instal a connector for collecting logs of it. I don't want to use flex connector.
my device support of CEF syslog, and I want to install a connector that get CEF syslog of fortiweb device.
If someone do this, PLEASE help me!
Its incredibly easy. CEF events are almost always sent via syslog, so simply install the "SmartConnector for Syslog" and you should be good to go. There are a few different variants for this, but you most likely require the "Syslog Daemon" version. Go to the HP Support site (Welcome - HP Software Support) login, use your SAID and you can go to the "ArcSight SmartConnectors" section and download the platform version you want (Windows, Linux etc) and you can install it from there.
However, I strongly recommend that you read the documentation around this and what you need to do to setup the SmartConnector and how you send the data to Logger, ESM or Express:
I installed a syslog deamon connector and run this.
This connector is running in console.
and I see traffic between device and connector on port 514, on our analyzer.
But I could not see logs of this connector , and EPS of this connector is 0 , in console!
Why I can not see logs of this connector on console?!?!?
I'm sorry. I can't send this file because of security policies.
As you probably know fortiweb in newer version makes this methods to send log as a CEF syslog. so how can I use this kind of methods? how to configure connector or manger to gather all events ?
Do a tcpdump or wireshark on your connector server to see if you are recieving any traffic from your fortiweb machine to connector server.
If the logs are reaching till syslog connector daemon the connector should send that data to its destination irrespective of parsing capability.
Just to follow on from what Anwar has said - if your connector is receiving events, you will see progress messages on the console as you run it! So you should see messages such as "New device identified on x.x.x.x" and so on. You should also have messages showing memory usage and so on. If you aren't getting any messages, you should see the EPS as zero or near to zero (a connector will send some health messages, so it shouldnt be no messages at all).
I would check if anything else is intercepting the UDP traffic though. Check your firewall settings (so its not blocked) and make sure that syslogd or rsyslogd isn't running. Strange, but the service on some platforms will intercept the traffic and still allow the other software to bind to the socket - its just you get no traffic! So check firewall and anything else running on the port.
but I think that manager don't get the syslogs of connector. All of my server connectors are in same zone , therefore I don't need to check the port 8443 that be open.
I installed another syslog daemon connector for cisco devices , and I have same problem with it in getting syslogs on manager beacause
- on console connector is running
- packets are send and received between cisco devices and connector server (check with wireshark and our firewalls)
- service of connectors are running on server connectors
BUT I don't success in getting syslogs on manager and viewing them on console
maybe need I say that my server connectors are windows and I run syslog daemon connector on them
May be , manager can't get syslogs of connectors!?!? just syslog!!!! (I don't have any problems with windows, antiviruse, vulnerability scanner and so on . I have problem with SYSLOG DAEMON CONNCTOR ,only)