cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Forward Syslog From Kiwi to ESM - View separate Data Sources in ESM

Hi Everyone,

I want to forward syslog events from Kiwi Server to the ESM.

I need the ESM eventually will reflect each data source separately

(meaning, show how it was originally sent to Kiwi Server...).

is there such an option? filtering somehow the syslog to show individual and separate data sources

in ESM?

Thanks!!

2 Replies
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Forward Syslog From Kiwi to ESM - View separate Data Sources in ESM

The ESM would need a method to separate the log stream into different datasources.  Typically this is done using hostnames - you would use a parent datasource with no hostname or a generic one for the Kiwi system and configure the Syslog Relay setting with the appropriate one for the log structure that Kiwi forwards in.  You then create parent datasources (and clients as needed) with the specific hostnames for the specific data you are collecting / parsing.  Retrieval method would be syslog.  

e.g. I have a datasource for my rsyslog based forwarder in my test environment.  It has the following config:

Vendor: Unix

Model: Linux

Format : Default

Retrieval: Syslog

IP: 192.168.198.100

Host Name: forwarder

Syslog Relay: syslog-ng

It sends logs for itself which look like this:

<13>Nov 2 08:12:01 forwarder analysis_script[4104418]: Execution starting

I then have datasources for the forwarded data (which comes from this IP)

These have a configuration of:

Vendor: Generic

Model: ASP

Format: Default

Retrieval: Syslog

IP: <blank>

Host Name: testmachine1

The logs for these look like this:

Oct 22 14:46:14 testmachine1 json_reporter[3017530]: { "Archive": "logparser", "File":"/mnt/share/testmachine1/testfile.json", "LogLine": { "Sensor Version": "4.8.1", "Sensor Build": "21437" } }

 

You can also prepend the syslog headers instead of replacing them - the parser will default to reading the right-most header for forwarded logs.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Forward Syslog From Kiwi to ESM - View separate Data Sources in ESM

Thank you so much!
we test it out and let you know if it worked!
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community