Barnyard Syslog subagent parser

Document created by reswob4 on Sep 5, 2014
Version 1Show Document
  • View in full screen mode

So we had need of a Barnyard smartconnector.  Unfortunately, the SC that comes with ArcSight is only compatible with version .2 of Barnyard and we are using 2.1.13 which apparently is different enough that nothing was getting parsed.

 

So after multiple attempts to change Barnyard itself, (including changing its output to CEF, which didn't work for reasons I'll get into later), I decided to write a flexconnector for the new Barnyard.  I created both a pure flexconnector and a syslog subagent.

 

Some caveats:

 

1.  Both of these need a catchall at the end.  I will probably add that in a few days, thanks to ops tempo, I need to move on for now:

 

# catch all

submessage[4].pattern.count=1

submessage[4].pattern[0].regex=(.*)

submessage[4].pattern[0].fields=additionaldata.message

 

2.  Additional parsing for more details could provide better information in ArcSight.  For example, some more granularity regarding the categoryDeviceGroup equaling only /IDS.

 

 

Some of the posts where I got great help from the community are below.

 

Question about testing a flexconnector

_SYSLOG_SENDER and _SYSLOG_TIMESTAMP not working?

 

 

(NOTE:  While Barnyard had an option to output to CEF, for some reason it had

CEF:Version|Device Vendor|Device Product|Device Version.Signature ID|Name|Severity|[Extension]

 

notice the '.' between Device Version and Signature ID which threw off Name, Severity and many of the extensions.)

Outcomes