Access Log Syslog messages sent from Proxy SG to Rsyslog are combined together
search cancel

Access Log Syslog messages sent from Proxy SG to Rsyslog are combined together

book

Article ID: 231357

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS ASG-S400

Issue/Introduction

Access Log Syslog messages sent from Proxy SG to Rsyslog (or any other SIEM or syslog vendor) are combined together. All the messages appear together not line by line.

Resolution

The custom client of ProxySG dumps the raw logs to the destination server over TCP. This Raw access-logs are presented one log per line. While most of the log servers do have receivers capable of parsing these logs into respective entry, looks like your Rsyslog is not having a default parser. If that is the case, you will have to create a custom parser. Normally the Syslog servers are expected to receive the data over UDP packets and each line will be parsed individually. When it is over TCP and multiple log entries over it, parsing needs extra config.

 https://github.com/brandonganem/rsyslog_configs/blob/master/rsyslog_simple.conf 

The same issue can be observed with other SIEM platforms.

Additional Information

Access logs are forwarded in raw format over TCP. Access logs are delimited  with CRLF Carriage return line feed (hex 0D 0A) which represent new line in raw data. To verify it, collect packet capture from the proxy and find relevant TCP stream.  Use feature follow TCP stream feature in the Wireshark with ASCII data representation and make sure each access log entry is represented with new line.