cancel
Showing results for 
Search instead for 
Did you mean: 
fcb
Level 7

Syslog xml parsing template with Logstash

Hi All,

We are trying to use the functionality of the syslog registered server from ePO 5.9. However, the only way the files are received is via xml, which would be fine, but McAfee xml files are nested beyond infinity. Has anybody attempted this before? We have logged numerous calls with McAfee, but they just say that their job is done. The files are sent to the syslog server, what we do with it and what we need to do to parse these is our own problem.

0 Kudos
4 Replies
Peacekeeper
Level 20

Re: Syslog xml parsing template with Logstash

Moved to EPO forum

0 Kudos
tkinkead
Level 12

Re: Syslog xml parsing template with Logstash

This is incredibly unhelpful, but we were pulling events from ePO via database scraping when they released syslog support.    We looked at their syslog, and it was not a better choice than database scraping, for the reasons you mentioned.  The implementation felt like checking the marketing box, "Yes, we do support syslog!".  It just isn't in a format that's usable.

fcb
Level 7

Re: Syslog xml parsing template with Logstash

Yeah, Shocking. We have been using db scraping as well, but every time a product update or ePO update is released, all the queries need to be reconfigured. Not really helpful.

0 Kudos
tkinkead
Level 12

Re: Syslog xml parsing template with Logstash

That was a concern for us, too.  We thought about trying to parse the syslog for exactly that reason...and then we realized that the syslog output was as likely to change format as the underlying DB.  Probably more likely, since it was a new feature. 

0 Kudos