If you are using syslog-ng, the same config can be applied. In recent version of rsyslog, here's how you should forward to a smart: Anyway, the cef parser will not use the _SYSLOG_ headers fields.īasically, by interpreting correctly the RFC, rsyslog is putting a space between the "CEF: 0" which should be "CEF:0" with no space. Make sure that when you forward to the smartconnector the CEF string that rsyslog received, that the "rawmsg" is sent and that no interpretation of the message is done. If its the same issue, Richard was on the right track, I believe your syslog server is modifying the message and causing the cef_syslog not to recognize it. I am curious if this might be an issue with how the events are written to file? Has anyone been able to properly parse Websense (or other custom) CEF events when they are written to file, or must the syslog daemon be used instead? I attempted installing the older connector on the new server, configured it for syslog file, and the events were not parsed properly.I attempted leaving only "cef_syslog" in the customsubagentlist, but this did not work - the value in syslog.properties then appeared as "cef_syslog|passthrough_syslog".After restarting the connector, I saw that this did not solve the problem. I also moved the value "cef_syslog" to the beginning of "agents.customsubagentlist". I attempted changing the value of "ecustomsubagentlist" from the default value of "false" to "true".I have tried a number of things in an attempt to rectify this. Rather the complete CEF event is being placed in the "Name" field in ESM.
The connector is recognizing the events as Symantec Messaging Gateway (sms7x_syslog), and the events are not being parsed. The new syslog server is writing the Websense events to file, and we have installed a version 7.1.2 syslog file connector which is pointed to the file containing the Websense CEF events. The connector properly recognized the events as cef_syslog, parsed them properly, and forwarded them to ESM without issue.
Websemse is configured to send CEF events to the connector. The original server was running a version 7.0.2 syslog daemon connector. We are in the process of migrating to new syslog servers.
0 kommentar(er)
