Symantec Privileged Access Management

I'm working on a project in which we are implementing CA PAM 3.3.1 and integrating with ArcSite for SysLog purposes.

The syslog admin has raised the following question: "We are getting data in CSV format which is not supported by the SIEM solution (ArcSight). Log format should be in CEF. Can you change the log format to CEF from CSV?"

Also, regarding the syslog server configuration, when multiple syslog servers are specified with a delimiting '|' is the second syslog server a backup/failover reference or is data duplicated to both nodes concurrently?

thanks in advance.



------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Sebastiano

There is no method to modify the syslog format that we send. As for the two syslog config. That should send the same data to both concurrently.... it is not backup/failover.

Joe Lutz
Original Message:
Sent: 10-06-2020 10:11 AM
From: Sebastiano Alighieri
Subject: About SysLog Message Data Formats and other Syslog configurations.

I'm working on a project in which we are implementing CA PAM 3.3.1 and integrating with ArcSite for SysLog purposes.

The syslog admin has raised the following question: "We are getting data in CSV format which is not supported by the SIEM solution (ArcSight). Log format should be in CEF. Can you change the log format to CEF from CSV?"

Also, regarding the syslog server configuration, when multiple syslog servers are specified with a delimiting '|' is the second syslog server a backup/failover reference or is data duplicated to both nodes concurrently?

thanks in advance.



------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Thank you Joseph.

Any recommendations for the client on how to manage the CSV formatted events in ArcSite?

I'm wondering if other client's have raised the same issue/request in the past and whether a feasible work-around exists.

I don't want to go back to the client empty handed and tell them we wont be able to integrate with their SIEM solution because of the hard-coded syslog format.

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Original Message:
Sent: 10-16-2020 07:10 AM
From: joseph lutz
Subject: About SysLog Message Data Formats and other Syslog configurations.

Sebastiano

There is no method to modify the syslog format that we send. As for the two syslog config. That should send the same data to both concurrently.... it is not backup/failover.

Joe Lutz
Original Message:
Sent: 10-06-2020 10:11 AM
From: Sebastiano Alighieri
Subject: About SysLog Message Data Formats and other Syslog configurations.

I'm working on a project in which we are implementing CA PAM 3.3.1 and integrating with ArcSite for SysLog purposes.

The syslog admin has raised the following question: "We are getting data in CSV format which is not supported by the SIEM solution (ArcSight). Log format should be in CEF. Can you change the log format to CEF from CSV?"

Also, regarding the syslog server configuration, when multiple syslog servers are specified with a delimiting '|' is the second syslog server a backup/failover reference or is data duplicated to both nodes concurrently?

thanks in advance.



------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Sebastiano

I know we have some clients using because we have discussed the Arcsite product in passing . I do not see any documentation on how to configure this in Arcsite but sending our syslog to a syslog forwarder may help reformat the data. I cannot believe that Arcsite cannot handle Linux style syslog messages where they can digest and create  the key pairs..... May need a forwarder for them as well... 

Joe
Original Message:
Sent: 10-16-2020 09:01 AM
From: Sebastiano Alighieri
Subject: About SysLog Message Data Formats and other Syslog configurations.

Thank you Joseph.

Any recommendations for the client on how to manage the CSV formatted events in ArcSite?

I'm wondering if other client's have raised the same issue/request in the past and whether a feasible work-around exists.

I don't want to go back to the client empty handed and tell them we wont be able to integrate with their SIEM solution because of the hard-coded syslog format.

------------------------------
Services Architect
HCL Technologies Ltd

Original Message:
Sent: 10-16-2020 07:10 AM
From: joseph lutz
Subject: About SysLog Message Data Formats and other Syslog configurations.

Sebastiano

There is no method to modify the syslog format that we send. As for the two syslog config. That should send the same data to both concurrently.... it is not backup/failover.

Joe Lutz
Original Message:
Sent: 10-06-2020 10:11 AM
From: Sebastiano Alighieri
Subject: About SysLog Message Data Formats and other Syslog configurations.

I'm working on a project in which we are implementing CA PAM 3.3.1 and integrating with ArcSite for SysLog purposes.

The syslog admin has raised the following question: "We are getting data in CSV format which is not supported by the SIEM solution (ArcSight). Log format should be in CEF. Can you change the log format to CEF from CSV?"

Also, regarding the syslog server configuration, when multiple syslog servers are specified with a delimiting '|' is the second syslog server a backup/failover reference or is data duplicated to both nodes concurrently?

thanks in advance.



------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

ok, thank you Joseph for the feedback.

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Original Message:
Sent: 10-16-2020 10:12 AM
From: joseph lutz
Subject: About SysLog Message Data Formats and other Syslog configurations.

Sebastiano

I know we have some clients using because we have discussed the Arcsite product in passing . I do not see any documentation on how to configure this in Arcsite but sending our syslog to a syslog forwarder may help reformat the data. I cannot believe that Arcsite cannot handle Linux style syslog messages where they can digest and create  the key pairs..... May need a forwarder for them as well... 

Joe
Original Message:
Sent: 10-16-2020 09:01 AM
From: Sebastiano Alighieri
Subject: About SysLog Message Data Formats and other Syslog configurations.

Thank you Joseph.

Any recommendations for the client on how to manage the CSV formatted events in ArcSite?

I'm wondering if other client's have raised the same issue/request in the past and whether a feasible work-around exists.

I don't want to go back to the client empty handed and tell them we wont be able to integrate with their SIEM solution because of the hard-coded syslog format.

------------------------------
Services Architect
HCL Technologies Ltd

Original Message:
Sent: 10-16-2020 07:10 AM
From: joseph lutz
Subject: About SysLog Message Data Formats and other Syslog configurations.

Sebastiano

There is no method to modify the syslog format that we send. As for the two syslog config. That should send the same data to both concurrently.... it is not backup/failover.

Joe Lutz
Original Message:
Sent: 10-06-2020 10:11 AM
From: Sebastiano Alighieri
Subject: About SysLog Message Data Formats and other Syslog configurations.

I'm working on a project in which we are implementing CA PAM 3.3.1 and integrating with ArcSite for SysLog purposes.

The syslog admin has raised the following question: "We are getting data in CSV format which is not supported by the SIEM solution (ArcSight). Log format should be in CEF. Can you change the log format to CEF from CSV?"

Also, regarding the syslog server configuration, when multiple syslog servers are specified with a delimiting '|' is the second syslog server a backup/failover reference or is data duplicated to both nodes concurrently?

thanks in advance.



------------------------------
Services Architect
HCL Technologies Ltd
------------------------------