Syslog Connectors

Syslog messages are free-form log messages prefixed with a Syslog header consisting of a numerical code (facility + severity), timestamp, and host name. Unlike file connectors, a Syslog connector can receive and process events from multiple devices. There is a unique regular expression that identifies the device.

TCP is a supported protocol for Syslog connectors. If UDP is used, there might be a possibility of missing Syslog messages over the network.

Depending on the mechanism with which the device logs are made available to the smartconnector, select the type of smartconnector to install:

Syslog Deamon SmartConnector or Syslog NG Deamon SmartConnector - If the device writes logs to a port.
Syslog File SmartConnector - If the device writes the log to a pipe or if the device writes log to a file.

SmartConnector Types	Available Parsers
Syslog Deamon: The Syslog Daemon SmartConnector is a syslogd-compatible daemon designed to work in operating systems that have no syslog daemon in their default configuration, such as Microsoft Windows. They listen for Syslog messages on a configurable port, using port 514 by default. The default protocol is UDP, but other protocols such as Raw TCP are also supported. It is the only Syslog option supported for Windows platforms. Syslog File: Supports the following types of logs: Logs written to Pipe When there is an existing syslog daemon syslogd is configured to write to a named pipe, and the SmartConnector reads from it to receive events. They require syslog configuration to send messages with a certain Syslog facility and severity. It is especially useful when storage is a factor. The Solaris platform tends to under-perform when using Syslog Pipe connectors. The operating system requires that the connector (reader) open the connection to the pipe file before the Syslog daemon (writer) writes the messages to it. On Solaris, it is recommended not to run the Syslog Pipe connector as a non-root user. It does not include permissions to send an HUP signal to the Syslog Daemon. Logs written to File: Monitors events written to a syslog file (such as `messages.log`) rather than to a system pipe.They require Syslog configuration to send messages with a certain Syslog facility and severity. For high throughput connectors, Syslog File connectors perform better than Syslog Pipe connectors because of operating system buffer limitations on pipe transmissions. Syslog NG Deamon: Supports Syslog NG version 3.0 for BSD Syslog format. Support is provided for the collection of IETF standard events. It can receive events over a secure (encrypted) TLS channel from another connector, where the destination is configured as CEF Syslog over TLS, and can also receive events from devices.	AirMagnet Enterprise Syslog
	Apache HTTP Server Syslog
	Arbor Networks Peakflow Syslog
	ArcSight Common Event Format Syslog
	Barracuda Email Security Gateway Syslog
	Barracuda Firewall NG F-Series Syslog
	Barracuda Web Appliance Firewall Syslog
	Blue Coat Proxy SG Syslog
	BroadWeb NetKeeper Syslog
	Brocade BigIron Syslog
	Check Point Syslog
	Cisco ASA Syslog
	Cisco Catalyst OS Syslog
	Cisco IOS Syslog
	Cisco IronPort Email Security Appliance Syslog
	Cisco IronPort Web Security Appliance Syslog
	Cisco ISE Syslog
	Cisco Meraki Syslog
	Cisco Mobility Services Engine Syslog
	Cisco NX-OS Syslog
	Cisco Secure ACS Syslog
	Cisco Wireless LAN Controller Syslog
	Citrix NetScaler Syslog
	Dell SonicWALL Firewall Syslog
	F5 BIG-IP Syslog
	Fortinet Fortigate Syslog
	HoneyD Syslog
	HPE Aruba Mobility Controller Syslog
	HPE c7000 Virtual Connect Module Syslog
	HPE H3C Syslog
	HPE Integrated Lights-Out Syslog
	HP Printers Syslog
	HPE ProCurve Syslog
	HPE-UX Syslog
	IBM AIX Audit Syslog
	IBM Security Access Manager Syslog
	Infoblox NIOS Syslog
	Ingrian DataSecure Syslog
	Intersect Alliance SNARE Syslog
	ISC Bind Syslog
	ISC DHCP Syslog
	Juniper Firewall ScreenOS Syslog
	Juniper IDP Series Syslog
	Juniper JUNOS Syslog
	Juniper Network and Security Management Syslog
	Linux Audit Syslog
	McAfee Email Gateway Syslog
	McAfee Firewall Enterprise Syslog
	McAfee Network Security Manager Syslog
	McAfee Web Gateway Syslog
	Microsoft IIS Syslog
	NetApp Filer Syslog
	Netscout Arbor Security Syslog
	NitroSecurity Syslog
	Nortel Contivity Switch (VPN) Syslog
	Oracle Audit Syslog
	Oracle Solaris Basic Security Module Syslog
	Proofpoint Enterprise Protect and Enterprise Privacy Syslog
	Pulse Secure Pulse Connect Secure Syslog
	Radware DefensePro Syslog
	Sabernet NT Syslog
	Sendmail Syslog
	Snort Syslog
	Symantec Endpoint Protection Syslog
Symantec Messaging Gateway Syslog
TippingPoint SMS Syslog
TippingPoint SMS Syslog Extended
Top Layer Attack Mitigator Syslog
Type80 SMA_RT Syslog
UNIX OS Syslog
VarySys PacketAlarm IPS Syslog
VMware ESXi Server Syslog
Vormetric CoreGuard Syslog

Other Syslog connectors are:

Raw Syslog: They are always used with the Raw Syslog destination. Raw Syslog connectors generally do not parse events. But, they take the Syslog string and copy it in the rawEvent field as-is . The Raw Syslog destination type takes the rawEvent field and sends it as-is by using UDP, Raw TCP, or TLS protocol, that is selected. The event flow is streamlined to eliminate components that do not add value. For example, with the Raw Syslog transport, the category fields in the event are ignored, so the categorization components are skipped. If you are transporting data to ArcSight Logger, you can use specific configuration parameters to provide minimal normalization of the Syslog data (for source and timestamp).

ArcSight CEF CISCO FireSight Syslog: Retrieves events and payload information from FireSIGHT DB by using the event ID and Sensor Name as input.

ArcSight CEF Encrypted Syslog UDP: Allows connector-to-connector communication through an encrypted channel by decrypting events previously encrypted through the CEF Encrypted Syslog (UDP) destination. The CEF connector lets ESM connect to aggregate, filter, correlate, and analyze events from applications and devices that deliver their logs in the CEF standard, by using the Syslog transport protocol.

UNIX supports all types of Syslog connectors. If a syslog process is already running, you can end the process or run the connector on a different port. The connector for UNIX OS Syslog provides the base parser for all Syslog sub-connectors.

For Syslog connector deployment information, see the connector Configuration Guide for UNIX OS Syslog. For device-specific configuration information and field mappings, see the connector configuration guide for the specific device. Each Syslog sub-connector has its own configuration guide.