Highlighted
Absent Member.
Absent Member.
639 views

Question about syslog connectors

Jump to solution

Is it possible to put two syslog Smartconnectors on one server?

I need a place to send my Cisco Secure ACS syslogs. I wanted to use the specific ACS smartconnector for it (not sure if necessary to get all fields).

My setup:

I have a regular syslog daemon connector running on a server and wanted to install a CiscoSecureACSsyslog connector on it as well. I was under the impression that you can only install one syslog connector on a host. However, this sentence in the CiscoSecureACSsyslogConfig.pdf has me confused.

Can anyone shed some light on what this means?

Looking at the "customsubagentlist=" field in the agent.properties file of my syslog connector I see many types of syslogs including the ACS_syslog. Does this mean my syslog connector can parse all these types of logs?

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi Aaron!

1) Yes, it is possible to have several installed Syslog SmartConnectors on one machine as long as they are listening on different ports.

2) However a single Syslog Smart Connector is capable of parsing all types of logs you see in the customsubagentlist property at the same time. This property shows the actual order of parsers in SmartConnector. When Syslog SmartConnector receives the first message from a device it tries to find a match in its list of subagents starting from the first one in the list. When the match is found the SmartConnector makes a note about it in the syslog.properties file so that it no longer has to search for applicable parser for a device that's already familiar to it. In the end there is a "catch all" parser called generic_syslog.

There may be a situation where one device sends several different types of logs to a Syslog SmartConnector. In this case the SmartConnector lists all parsers applicable to a sending device in syslog.properties file separating them with a pipe symbol and applies those parsers inn the same order. You can edit this file manually if you think the SmartConnector applies wrong parser or uses them in the wrong order (you have to restart the SmartConnector after making changes).

Hope this helps

Ihar

View solution in original post

0 Likes
6 Replies
Highlighted
Absent Member.. Absent Member..
Absent Member..

You can have more than one connector on a host. If the existing syslog connector is installed as a "daemon" meaning it is listening to the network then they could not both listen on port 514 at the same time.

I believe that the ACS connector is just a parser within the standard syslog connector meaning that one connector should parse both standard syslog and the ACS data properly.

If you are taking in the data on a linux host then one option for you would be to take the logs in using syslog-ng, then you could take the incoming on different ports and write it out to separate log files and have two different connectors reading the separate output. However if you do not have a specific requirement for 2 connectors then you should be able to get the ACS data via a standard syslog connector.

The "customsubagentlist" allows you to define what types of syslog data will be further parsed by a syslog connector. Yes, by default it can parse all those types listed.

HTH

Dean

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi Aaron!

1) Yes, it is possible to have several installed Syslog SmartConnectors on one machine as long as they are listening on different ports.

2) However a single Syslog Smart Connector is capable of parsing all types of logs you see in the customsubagentlist property at the same time. This property shows the actual order of parsers in SmartConnector. When Syslog SmartConnector receives the first message from a device it tries to find a match in its list of subagents starting from the first one in the list. When the match is found the SmartConnector makes a note about it in the syslog.properties file so that it no longer has to search for applicable parser for a device that's already familiar to it. In the end there is a "catch all" parser called generic_syslog.

There may be a situation where one device sends several different types of logs to a Syslog SmartConnector. In this case the SmartConnector lists all parsers applicable to a sending device in syslog.properties file separating them with a pipe symbol and applies those parsers inn the same order. You can edit this file manually if you think the SmartConnector applies wrong parser or uses them in the wrong order (you have to restart the SmartConnector after making changes).

Hope this helps

Ihar

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.

Thank you for the prompt response. I definitely have a better idea of how ArcSight syslog connectors can be setup.

0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks for responding. The part about the syslog.properties file is something I had no idea about. It's interesting and something I should check.

Update: Sending the ACS syslogs to the default syslog smartconnector worked. The files are parsed according to the CiscoSecureACSSyslog mappings. I am not getting the 'ad.CmdSet' field which might be due to the fact that I'm using a newer ACS than what my smartconnector supports.

Follow up question:

Is it possible to custom map some field from the Smartconnector?

I know there is a FlexConnector that can parse different types of logs depending on how you set it up. I'm just trying to avoid rewriting everything for only one or two fields.

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Aaron,

You might find the following links useful (re mapping fields)


https://protect724.arcsight.com/servlet/JiveServlet/download/2036-5885-21599-5970/map_files.pdf

HTH

Ihar

0 Likes
Highlighted
Absent Member.
Absent Member.

I am looking through and trying to understand mappings now. Thanks for the info!

Edit: I got it to work by using the method in the first link. It's described here: The folder Cisco/Cisco_Secure_ACS/ was already in the correct place. I set the event.flexString1=CmdSet to get the event. Thanks again.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.