Popular Tags

  • CEF event with syslog header gets device addres/hostname parsed wrong if CEF has dvc=entry

    Hello, we have CheckPoint firewalls sending events over syslog in CEF format. Problem is, that events has also the SYSLOG header containing deviceAddress. For ChceckPoints Identity Awareness events gets generated like this: Jan 13 14:25:36 xx.xx.xx…

  • Field [rawEvent] truncated Limit

    Hey guys. I have a syslog connector with problems processing an event with more than 4000 bytes, how can I solve this? I knew that adding the following parameters would solve it. size.validation.fields and size.validation.sizes to 10,000 Is there…

  • Problem with apllying parser for syslog connector

    Hello. Can you help with diagnose issue with applying parser for syslog connector. I have next stages of issue: 1) I create config file for syslog connector and move it to /../current/user/agent/flexagent/syslog/ with name like parser.sdkrfilereader…

  • Syslog subagent.parsers

    Hello, I dont understand what "syslog.subagent.parsers=" in agent.propersties is for: I can enable custom subagents list where I can use my own parsers, but what subagent.parsers do ? agents[0].customsubagentlist=generic_syslog ??agents[0].syslog.subagent…

  • ArcSight logUnparsedEvent Error

    Hello everyone. I have a problem with the parsing of a smart connector, version 8.4. I'm sending Logs from a Linux machine, with the rsyslog service. I have installed a "syslog Daemon" as the type. I have configured the following entries in the agent…

  • Connectors after switching from 2 TransformationHub destinations (CEF and BINARY) to single AVRO consumes much more RAM

    Hello, we have migrated from 2 TransformationHub destinations (CEF and BINARY) to single AVRO destination (connectors on 8.4 & 8.4.2). We had about 10 connectors per server with 24GB RAM and ussualy had about 3-4GB of ram FREE. After migration,…

  • In what way does Arcsight collect data from different vendors?

    We are interested in purchasing Arcsight for our daily data analysis work, but before that we would like to confirm something. As a data science company, we have storage and switches from different vendors and their syslog fields are not in the same order…

  • Syslog NG NULL Events

    Hello, I am trying collect syslog with Syslog NG, but connector cant parser data. Syslog should be fine and I can see application data in wireshark, but nothing in connector. unparsed events: true custom parser: true (made completely basic parser to…

  • How to find smart connector name in which file of smart connnector

    Hi , There is many type of connector installed. I didn't find out connector name. Please provide file name or file path of smart connector. However we find out smart connector name.

  • flex connector properties file not working

    I'm having some troubles with the flexconnector. I did the parser file but everytime I run the flexconn and I send some SSH Logs the parser do not work. My parser file is called Vendor_syslog.subagent.sdkrfilereader.properties. I modified in agent…

  • How to change parser file in Syslog Connector?

    Hello everyone, I'm working on Syslog SmartConnector and I got an error about changing parser file in Syslog Connector. I had a parser file (from ArcSight FlexConnector Regex File Connector). Now I want to apply this Parser file to Syslog Connector…

  • Suddenly we are getting Unparsed Syslog Events

    Hi Recently we are getting Unparsed Syslog Events but few days ago we got the right logs. Unparsed End Device Like Cisco Swith-Routers, Cisco FTD etc. even some applications(Syslog Application logs). So, can you please suggest me how can i solve…

  • Unparsed Syslog Event Logs

    Hi Recently we are getting Unparsed Syslog Events but few days ago we got the right logs. Unparsed End Device Like Cisco Swith-Routers, Cisco FTD etc. even some applications. So, can you please suggest me how can i solve this problem !!!! …

  • Max number of Fields and Extramappings in flex connector Sub Messages

    Alright, this is something that I have traced down and I have been searching the current documentation but maybe I am just not finding it. I have a syslog regex flex parser in which I have created a submessage pattern. At some point it no longer will…

  • Check Point Unknown agentSeverity

    Hello everyone, I have a Firewall Check Point R80.30 got issue: agent Severity = Unknown. There are some information about system: - ArcSight SmartConnectors: version: 8.0.0.8322 type: Syslog Daemon Destination: Logger software version…

  • How do we get rid of the "This Syslog NG message has structured data" warning in agent.log

    I have been getting this Warning for a few versions of connector now. I am on 8.2.2 I got a syslogNG connector and some of the events coming in have what looks like structured data in the message but they are not structured data. I created a parser…

  • Smartconnector unable to receive syslog via TCP

    We have a syslog smartconnector and we are trying to see the raw events it receive from an VMWare Airwatch console application. We are able to see the wireshark syslog data on the smartconnector host but the smartconnector does not output the raw…

  • Syslog SmartConnector - different behavior for Linux "logger" command

    Hi, I am facing different outputs on different Syslog Connectors (with the same configuration) when doing the command "logger" in Linux devices. [master@ arcsight -mc ~]$ logger -p local6.notice "$(hostname -s) Log N.999" the rawEvent field looks…

  • Parsing Override

    Hi Guys, I want to make overriding to my syslog connector, as i have field like this : fnameAndHash Message attachments in the format: <filename>|<filehash>|<triggered/clean/ malicious> As Example: fnameAndHash=attachName|AttachHash…

  • ArcSight FlexConnector cannot parsing syslog

    Hi everyone I have a issue about FlexConnector. In my environment, there is a SC to collects syslog (including Fortigate, CentOS, CISCO switch, and the source device "Array" where this problem occurred). At the beginning, I created a regex parser…

  • Tripwire RawEvent Limited with 4000

    Hi There, We are facing an issue with Long event from Tripwire , as Event Size exceed 4K. Is there any workaround allow me to read more than 4k of Event !! Thanks in advance for involving. Hany

  • Thales Flex Connector - Am I missing something

    Dear All, I wonder if anybody can assist me please? I am trying to create a Flex Connector for a Thales DC5200. Creating the Regex for the events seem to work out ok, but when I come to load up the properties file, it just does not seem to want…

  • SmartConnector Support F5 HSL (High Speed Logging)

    I would like SmartConnector support to parse and collect F5 HSL (High Speed Logging). Our customer need to collect this traffic log to monitor connection and performance usage on F5 device. When SmartConnector, syslog daemon, receive this log and parse…

  • Active thread count keeps increasing on syslog connector

    I’ve got a syslog connector that has worked fine until we switched it to listen for tcp connections. It’s a high eps connector (6-8k eps) and running latest version (8.1). I’ve set tcppeerclosedchecktimeout but I don’t think that’s the issue. The threads…

  • CEF parser Override for PaloAlto System messages

    Hello, I am facing an issue to create a parser subagent for CEF syslog messages. 1- I created a subagent file and placed it under ..\current\user\agent\flexagent\syslog 2- I named the file PaloAlto_syslog.subagent.sdkrfilereader.properties 3- I modified…

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.