Syslog type

I am using a Logrhythm SIEM to collect the syslog - I am not sure what type of syslog format tpam is sending but I am not getting logs.  I chose "linux other" for the format but perhaps that wasn't the right choice. 

Parents Reply Children
  • The KB does state the following under Additional Information:

    The actual time stamps are by syslogd not TPAM.

    so that matches what TPAM is sending without a time stamp.

  • well I do see that, but that is not syslog format - not sure what format that is!  :-)

  • This is a capture of the raw data and the output from Virtual Syslog server that takes the raw data and produces this which has time and date included.

    <14>PAR[55]: UserName: ParAdmin Operation: Logout ObjectType: Authentication Target: ParAdmin Role: N/A Failed? 0 OtherInfo: Inactive for 95 seconds. From address 192.168.0.200
    <14>PAR[64]: UserName: ParAdmin Operation: Login ObjectType: Authentication Target: Role: N/A Failed? 0 OtherInfo: Primary Authentication. TargetURL=192.168.0.143/.../main.asp. From address 192.168.0.200.
    <14>PAR[66]: UserName: ParAdmin Operation: Add ObjectType: ManagedAccount Target: syslog_test/funcacct Role: Admin Failed? 0 OtherInfo: New un-managed account

    192.168.0.143 Jul 06 14:50:55 user info PAR[63] AdminName: ParMaster Operation: Load Queue ObjectType: Test Queue ObjectName: Test Queue OtherInfo:
    192.168.0.143 Jul 06 14:51:06 user info PAR[63] AdminName: ParMaster Operation: Stop ObjectType: Auto Management Service ObjectName: N/A OtherInfo:
    192.168.0.143 Jul 06 14:51:09 user info PAR[63] AdminName: ParMaster Operation: Start ObjectType: Auto Management Service ObjectName: N/A OtherInfo:

    TPAM outputs its syslog data in almost real time. You can see this if you create an event and look for it arriving.

    I am not sure however if the time stamp is being provided by the Virtual Syslog server in this case.though.

    As I mentioned in a previous post I have a customer that feeds their SIEM system by having virtual syslog server processed date dump to file (which is ourged on a regular basis based on their SIEM import schedule and then have their SIEM system import it to process the data.

    Not ideal but will give you a workable solution while you look for a better way to translate the raw data.

    Tim