Before I answer your specific questions, I wanted to give you a little information that will hopefully add context to my answers. We have 2 types of parsers on our recevier. We have code based parsers and we have rules based parsers. The code based parsers require a code update for us to make any changes to them. The rules based parser can be updated at anytime by downloading rules from our rule server. The rules based parser is called the Advanced Syslog Parser (ASP). When you are adding a data source, if the data source model ends in (ASP) it uses the rules based parser. If it does not have the (ASP) it is a code based parser.
Now, to answer your specific questions.
The data source vendor and model that you choose will depend on what Linux OS you are running. If you are running Solaris, Red Hat Linux, HP-UX, or IBM AIX then you will need to choose the data source vendor of "Unix" and the Model of "UNIX OS (Solaris, Red Hat Linux, HP-UX, IBM AIX)". If you are running any other version of Linux, you will need to choose the data source vendor of "Unix" and the Model of "Linux (ASP).
The vendor of "Syslog" and model of "Advanced Syslog Parser" is designed to be used when a customer wants to write their own custom rules on a syslog data source that we do not currently support. It is not very often that Vendor and Model will get used.
Both of the Unix rule sets are built to handle all of the standard Unix logs. This includes most of the standard services that can run on linux like sshd, smartd, etc. Many Applications that run on linux also will log their logs to the standard linux syslog feed. A good example of that would be an Apache Web Server. We have a seperate data source that covers these logs. However, you can set them up under one data source. You would simply setup the data source to collect the linux logs and then in the policy, you can manually enable the apache rules as well for that data source. Below are the instructions how to do that.
1. Select your data source in the device tree and then click on the policy button to open the policy editor.
2. Once the policy editor opens, delete the value that is in the device type filter on the right and then select the filter button so that we can find the apache device type.
3. Browse through the list and select the Apache Web Server, Once you have selected it, click OK at the bottom.
4. Enable the rules by clicking the word Action in the header. Then select Enabled.
5. Once you have enabled the rules, you will need to roll policy to the device. At this point this data source will parse both Linux logs and Apache logs.
Thanks for your answer. It was a very helpful and clean answer.
One addition to that if we are to enable both standart Linux rules + HTTP rules on one data source we have to do following at policy editor of related data source
113: Means UNIX , UNIX (red hat ...)
280: Apache ASP
Untitled.png 55.1 K
In my cases, I prefer to add another "match on type" client data source.
- Linux (ASP) [parent]
- Apache Web Server (ASP) [client]
To do it this way allowed you to filter events easier later on. If my memory serve me right, in "device type" display type do this will allowed you to see parent and client data source as diffrent data sources. Nevertheless, one might found out a problem with "match on type" client data source in 9.1.3. Things should be better in 9.2.0, I hope.
I am in a similar position about it. Right now I have a Netscaler which send both uniform syslog and CEF syslog. I have tried to add both but when I add a child so I can match on CEF instead of uniform syslog which is parent I get an error that this IP address already added.
My question is this actually: How can I add 2 data sources which have same IP but different syslog format. Netscaler Web Application component sends CEF format syslog and standart syslog also used for other netscaler activites which can be found at:
What do I pick for CentOS? It is Red Hat based. Is it Red Hat enough to pick the UNIX, UNIX OS (Redhat , solaris ..) parser or do I go with the Linux (ASP)?
Linux(ASP) would be the parser to use for CentOS.
The information was very helpful. I have same issue but with different vendor. I have oracle installed on Soloaris system. I need the logs from both.
For Oracle: When I select Oracle Audit( ASP) I can see the logs but can't add another DS(Solaris) as both have same IP.
when I select Oracle Audit I am not seeing the logs. when query further I get that I have to
enable the rules for the "other" DS.
Now from where I can achieve this .........................? because
when I click on your Oracle DS in the tree then click on policy editor icon in the top left bar. In the advanced section, click on the Device Type ID Icon and select Oracle Audit (ASP).Here at this point I am suppose to see the rules but I am not seeing any rules.