ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SA| Securonix log format issue

book

Article ID: 241022

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

The customer is forwarding logs from the SA appliance to the Syslog server(Securonix). But the logs seem to be improper. KVP format as data is getting separated. As per the sample log most of all data is coming in the message field and the Securonix team need to write a regex(derive) for all key values to capture which will take more process time. If we go with the regex format then going forward might face more unparsed events as well.  Request to get proper format logs.

Environment

Release : 8.2.2-55138

 

Resolution

At this time, the system will not breakout any of the KVPs in the msg Key. This has not been done in the past and may impact customers who are able to parse through msg nested Key.
There are SIEM applications that can parse through the nest KVPs. For example, Splunk will parse msg and many customers are using it. We do not know if ArcSight will do the same or what the cost in the ArcSight resources might be to parse through the KVPs.

This is a Feature Request for breaking out the Values from the msg Key and creating their own Key. Something will need to tell our tools when the nested KVPs need to be broken out into their own and when not to break them out for existing customer's configurations.

Accepted for future development. No committed delivery date at this time.

 

 

Additional Information

https://bsg-jira.broadcom.net/browse/NSFR-4213