Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How to parse ADS generated syslog messages for SIEM?

 

Information

 

Summary:

Parsing rules in syslog messages for SIEM generated by ADS

Environment:

Product: Flowmon ADS

Version: Any

Platform: ANy

Question/Problem Description:

How to create parsing rules for ADS generated syslog messages for SIEM systems?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

ADS supports syslog events exports in CEF (Common Event Format), see the user guide:

https://docs.progress.com/bundle/progress-flowmon-ads-12-2/page/topics/user-guide/Custom-Actions.html

This is a standardized format for sending syslog messages. Therefore, if the SIEM client supports it, it should receive messages without the need to define its own parsing rules. What perspective priority in ADS corresponds to the syslog severity and CEF severity is described in the table.

If the SIEM client doesn't support CEF, then it would be needed to create custom parsing rules. For that, an inspiration can be found here in the decription of the integration between Flowmon and FortiSIEM, which is a SIEM client:

https://support.kemptechnologies.com/hc/en-us/articles/4405966827021-FortiSIEM-Integration-Guide

For testing the parser it is adviced to use the sample messages that are available for download here:

https://support.kemptechnologies.com/hc/en-us/articles/4405965962253-Flowmon-ADS-Event-Sample

 

Resolution:  
Workaround:  
Notes:  

Was this article helpful?
0 out of 0 found this helpful

Comments