Respected Contributor.. ABHATTACHARJEE Respected Contributor..
Respected Contributor..
1315 views

Syslog: custom parser for selective CEF events

Hi All,

We have a device which is sending logs to syslog connector in CEF format.But for a specific event big chunk of the log is being mapped in message field.Device address/Device product & all other information is fine.But I want a to map some specific data out of the message field(Not entire field)  in device custom string fields.

Additional data mapping is not working here.

I don't have any issue with any other event & so don't want to write parser for all of them; how ever I want that single event to be parsed with more granularity.

Is there any way to write parser for only that event.Currently I have a wrote a parser specific to the concerned event only but that is not being picked up by the connector.

It is only working when I am taking cef_sylog out of the agent.properties file.Which means only the event that I have made the parser for is getting parsed with my parser & the other events are not parsing.

So is there any way to make it work where my parser will parse the events which it is meant to parse but the other event will be parsed by the default cef_sylog parser only.

Any pointer on how to make it work would be helpful.

Labels (3)
0 Likes
Reply
3 Replies
ananth.kumar Absent Member.
Absent Member.

Re: Syslog: custom parser for selective CEF events

HI Abhi,

What is the device Vendor and Product? and if you dont mind can you give us a sample (rawEvent) event that is not parsing.

-Ananth

0 Likes
Reply
Respected Contributor.. ABHATTACHARJEE Respected Contributor..
Respected Contributor..

Re: Syslog: custom parser for selective CEF events

Hi Ananth,

I just want the Keystroke logging events to be parsed with my parser; which is mentioned below.

Mar 13 18:34:58 CYBERVAULT CEF:0|Cyber-Ark|Vault|7.10.0010|361|Keystroke logging|5|act=Keystroke logging duser=dummy.name fname=Root\Operating System-UNIX_PSM-10.10.10.10-root src=10.10.10.10 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=UNIX cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cs6Label="Gateway Address" cs6= cn1Label="Request Id" cn1= msg=, Command\=qconMEclco;ConnectionComponentId\=PSM-SSH;DstHost\=10.10.10.10;Protocol\=SSH;PSMID\=PSM-CYBERPSM;SessionID\=7548a243-4f5f-4631-a17f-00e4190ad76e;SrcHost\=10.22.46.233;SSHOffset\=3586539B;User\=root;VIDOffset\=35115T;, Keystroke logging


While I want to leave any other logs(Retrieve password/backup process initiated) intact for the in built ArcSight CEF_syslog parser.Sample of those events are mentioned below.



Apr 08 14:19:29 CYBERVAULT CEF:0|Cyber-Ark|Vault|7.10.0010|295|Retrieve password|5|act=Retrieve password duser=myuser fname=Root\PSM-CYBERPSM src=10.10.10.10 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=PSM cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cs6Label="Gateway Address" cs6= cn1Label="Request Id" cn1= msg=, , Retrieve password

Apr 08 14:06:54 CYBERVAULT CEF:0|Cyber-Ark|Vault|7.10.0010|194|Backup Process Initiated|5|act=Backup Process Initiated duser=DR fname= src=10.10.10.10 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=PasswordManager1_workspace cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cs6Label="Gateway Address" cs6= cn1Label="Request Id" cn1= msg=, , Backup Process Initiated


-Abhishek

0 Likes
Reply
Respected Contributor.. ABHATTACHARJEE Respected Contributor..
Respected Contributor..

Re: Syslog: custom parser for selective CEF events

Guys,

Issue solved.

Had to use additional regex parsing.Attached is the parser for any one interested.



0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.