Showing results for 
Show  only  | Search instead for 
Did you mean: 

Linux Data source question?

I have a linux server that can send syslog .

1) There are different Data source vendor and data source model  at GUI

    a) Syslog, Advanced Syslog Parser

    b) UNIX, Linux ASP

    c) UNIX, UNIX OS (Redhat , solaris ..)

Which one should I use for a linux system and what are the difference of these 3 ?

2) there is standart syslog and there is ASP (Advanced syslog parser) What is the difference between these two

3) Say that I send all the logs and this syslog contains both linux logs, sshd logs , web server logs, asterisk logs (etc..) So what should i do to add this data source? Only adding one data source is enough to handle both system logs, sshd logs, apache logs and asterisk logs? If not should I add a new DS for all logs to be processed but as different Data Source Vendor/Model?


12 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 13

Re: Linux Data source question?

Before I answer your specific questions, I wanted to give you a little information that will hopefully add context to my answers. We have 2 types of parsers on our recevier. We have code based parsers and we have rules based parsers. The code based parsers require a code update for us to make any changes to them. The rules based parser can be updated at anytime by downloading rules from our rule server. The rules based parser is called the Advanced Syslog Parser (ASP). When you are adding a data source, if the data source model ends in (ASP) it uses the rules based parser. If it does not have the (ASP) it is a code based parser.

Now, to answer your specific questions.

The data source vendor and model that you choose will depend on what Linux OS you are running. If you are running Solaris, Red Hat Linux, HP-UX, or IBM AIX then you  will need to choose the data source vendor of "Unix" and the Model of "UNIX OS (Solaris, Red Hat Linux, HP-UX, IBM AIX)". If you are running any other version of Linux, you will need to choose the data source vendor of "Unix" and the Model of "Linux (ASP).

The vendor of "Syslog" and model of "Advanced Syslog Parser" is designed to be used when a customer wants to write their own custom rules on a syslog data source that we do not currently support. It is not very often that Vendor and Model will get used.

Both of the Unix rule sets are built to handle all of the standard Unix logs. This includes most of the standard services that can run on linux like sshd, smartd, etc. Many Applications that run on linux also will log their logs to the standard linux syslog feed. A good example of that would be an Apache Web Server. We have a seperate data source that covers these logs. However, you can set them up under one data source. You would simply setup the data source to collect the linux logs and then in the policy, you can manually enable the apache rules as well for that data source. Below are the instructions how to do that.

1. Select your data source in the device tree and then click on the policy button to open the policy editor.

Go to Policy.png

2. Once the policy editor opens, delete the value that is in the device type filter on the right and then select the filter button so that we can find the apache device type.


3. Browse through the list and select the Apache Web Server, Once you have selected it, click OK at the bottom.


4. Enable the rules by clicking the word Action in the header. Then select Enabled.


5. Once you have enabled the rules, you will need to roll policy to the device. At this point this data source will parse both Linux logs and Apache logs.



Re: Linux Data source question?


Thanks for your answer. It was a very helpful and clean answer.


Re: Linux Data source question?

One addition to that if we are to enable both standart Linux rules + HTTP rules on one data source we have to do following at policy editor of related data source

113: Means UNIX  , UNIX (red hat ...)

280: Apache ASP

Message was edited by: omerfsen on 2/2/13 4:13:16 AM CST

Re: Linux Data source question?

Hi Steve,

In my cases, I prefer to add another "match on type" client data source.

For example:

- Linux (ASP) [parent]

- Apache Web Server (ASP) [client]

To do it this way allowed you to filter events easier later on. If my memory serve me right, in "device type" display type do this will allowed you to see parent and client data source as diffrent data sources. Nevertheless, one might found out a problem with "match on type" client data source in 9.1.3. Things should be better in 9.2.0, I hope.

Best regards,


Re: Linux Data source question?

I am in a similar position about it. Right now I have a Netscaler which send both uniform syslog and CEF syslog. I have tried to add both but when I add a child so I can match on CEF instead of uniform syslog which is parent I get an error that this IP address already added.

My question is this actually: How can I add 2 data sources which have same IP but different syslog format. Netscaler Web Application component sends CEF format syslog and standart syslog also used for other netscaler activites which can be found at:

Level 9
Report Inappropriate Content
Message 7 of 13

Re: Linux Data source question?

What do I pick for CentOS? It is Red Hat based. Is it Red Hat enough to pick the UNIX, UNIX OS (Redhat , solaris ..) parser or do I go with the Linux (ASP)?

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 13

Re: Linux Data source question?

Linux(ASP) would be the parser to use for CentOS.



Re: Linux Data source question?


The information was very helpful. I have same issue but with different vendor. I have oracle installed on Soloaris system. I need the logs from both.

For Oracle: When I select Oracle Audit( ASP) I can see the logs but can't add another DS(Solaris) as both have same IP.

when I select Oracle Audit I am not seeing the logs. when query further I get that I have to

enable the rules for the "other" DS. 

Now from where I can achieve this .........................? because

when I click on your Oracle DS in the tree then click on policy editor icon in the top left bar. In the advanced section, click on the Device Type ID Icon and select Oracle Audit (ASP).Here at this point I am suppose to see the rules but I am not seeing any rules.

Please advise.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 13

Re: Linux Data source question?

Hi Rashid

You should see some rules for Oracle ASP as per the screen shot below. If you dont see those then I recommend you do a manual rules update to make sure you have the latest ruleset installed.




You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community