Streaming events directly from SIEM agent to a remote server fails with Broken Pipe Error
Article ID: 387300
Updated On:
Products
Issue/Introduction
Cloudsoc SIEM Agents has the ability to stream the events directly to a remote server. Though it is important to notice that the agent is built to comply with the parsing requirements listed on RFC_3164.
Example:
python qradar_agent.py --elastica_app investigate --start_date 2025-01-01 -t localhost:3456 -o REMOTE --socket_type TCP --proxy http://localhost:8080 -d
There are cases observed where the SIEM application is configured to parse the receive the logs based on RFC_5424, which may lead to failing the parsing the check and consequently leads to dropping down the connection and thus the "Broken Pipe" error.
The issue has been observed mainly on Cloudsoc QRadar SIEM Agent, though most likely the issue would impact even the other Cloudsoc SIEM Agents (Splunk SIEM Agent and ArcSight SIEM Agent)
Resolution
Broken Pipe Error: When syslog-ng receives a non-compliant message and tries to parse it according to RFC 5424, parsing often fails. This can lead to syslog-ng closing the connection, resulting in a "broken pipe" error on the sender's side
It is most likely the case, when syslog-ng server is rejecting the log because its not in desired format i.e. RFC 5424. Log from CASB is in hybrid form that is RFC 3164/5424. To resolve this customer can try relaxing the parsing using flags(no-parse) in source config.
flags(no-parse): Disables RFC 5424 parsing. This is essential if you're receiving non-RFC 5424 messages (RFC 3164, LEEF-embedded syslog, or other variations).
Feedback
