Highlighted
mkeca1 Absent Member.
Absent Member.
385 views

Connector for syslog messages forwarded from CiscoWorks RME

Hello,

We are trying to import syslog messages forwarded from CiscoWorks RME to ArcSight syslog daemon connector. Problem is that CiscoWorks RME attaches it's timestamp and IP so ArcSight parses syslog as it is come from CiscoWorks (IP 192.168.250.97 in exapmple output)

Sep 01 13:47:15 192.168.250.97 Sep 01 13:  46:38 10.10.200.31 Sep  1 2010 12:46:14 : %ACE-6-302023: Teardown TCP  connection 0x163b9f for vlan2:10.11.95.24/34969 (10.11.95.24/34969)  to vlan3:10.111.222.221/10050 (10.111.222.221/10050) duration 0:00:00  bytes 468 TCP FINs

Is it possible to construct FlexConnector or some kind of subaget for current conector which will discard first part of message:

Sep 01 13:47:15 192.168.250.97

And parse original syslog message sourced from device:

Sep 01 13:  46:38 10.10.200.31 Sep  1 2010 12:46:14 : %ACE-6-302023:  Teardown TCP  connection 0x163b9f for vlan2:10.11.95.24/34969  (10.11.95.24/34969)  to vlan3:10.111.222.221/10050  (10.111.222.221/10050) duration 0:00:00  bytes 468 TCP FINs

One more thing I notice in this syslog is one blank space between ':' and minutes in second timestamp.

Sep 01 13:  46:38

Could this be a problem, or we can ignore it.

Thanks in advance!

Kind regards,

--

Marko

Labels (3)
0 Likes
Reply
2 Replies
mkeca1 Absent Member.
Absent Member.

Re: Connector for syslog messages forwarded from CiscoWorks RME

One additional question.

If I write FlexConnector which will have this part:

Sep  1 2010 12:46:14 : %ACE-6-302023:  Teardown TCP  connection 0x163b9f  for vlan2:10.11.95.24/34969  (10.11.95.24/34969)  to  vlan3:10.111.222.221/10050  (10.111.222.221/10050) duration 0:00:00   bytes 468 TCP FINs

as sub-message. Is it possible to use Cisco parser already in ArcSight to parse this message.

It would be very difficult to write new sub-message parser for all types of Cisco messages.

Thanks in advance!

--

Marko

0 Likes
Reply
mkeca1 Absent Member.
Absent Member.

Re: Connector for syslog messages forwarded from CiscoWorks RME

We solved this problem by modifying perl script on CiscoWorks.

Regards,

--

Marko

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.