What the difference in ArcSight's CEF Syslog configuration between RAW TCP and UDP ?
is it possible that Udp syslog is sending without endline eg \n
How it possibole to send the syslog from ArcSight that Flumes syslogtcp will read it as syslog
Asked
Active
Viewed 813 times
1 Answers
2
The difference
The RAW syslog - Send the information over TCP protocol, the "RAW" is simply sends CEF payload via TCP as original data (without normalization) with \n ending
CEF:0.......
CEF:0.......
The UDP syslog - Send the information over UDP protocol, the "RAW" is simply sends CEF payload via TCP without \n ending - looks like stream
CEF:0.......CEF:0.......
In my tests the ArcSight version 6.9.1 not sending Syslog format as should
Should be:
Sep 10 15:19:01 host CEF:0|.............
Actualy:
CEF:0|..........
According https://activate.lab1.semplicityinc.com/foswiki/pub/ArcSightActivate/PLinuxOSConnectorInstallation/SyslogNGDaemonConfig.pdf and https://www.protect724.hpe.com
When selecting Syslog Daemon, with Raw TCP, connections remain idle in a CLOSE_WAIT state until closed explicitly by the application.
More reference: https://www.hpe.com/h20195/v2/getpdf.aspx/4AA6-8664ENW.pdf?ver=1.0
Apache Flume
The best practices for ArcSight version 6.9.1 and Flume is:
- in ArcSight use
CEF SyslogandRAW Tcp - Flume should use NetCat source and parse it
Enjoy !
Yehuda
- 457
- 2
- 6
- 16