000016890 - CyberArk Syslog messages display as 'unidentified content' in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000016890
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.2.x, 10.3.x, 10.4.x
Platform: CentOS
Platform (Other): CyberArk Syslog
O/S Version: EL5, EL6
IssueCyberArk Syslog messages display as "unidentified content" in RSA Security Analytics

The /var/log/messages file displays error messages similar to the following:



Feb 21 04:34:09 demohostname nw[30902]: [SYSLOG] [warning] Unidentified content from xx.xx.xx.xx received on receiver: 'Feb 21 04:34:10 DEMOHOSTNAME %CYBERARK: MessageID="241";Version="8.10.0000";Message="Prepare Backup'
Feb 21 04:34:16 demohostname nw[30902]: [SYSLOG] [warning] Unidentified content from xx.xx.xx.xx received on receiver: 'Feb 21 04:34:17 DEMOHOSTNAME %CYBERARK: MessageID="236";Version="8.10.0000";Message="Backup Metadat'
Feb 21 04:34:16 demohostname nw[30902]: [SYSLOG] [warning] Unidentified content from xx.xx.xx.xxreceived on receiver: 'Feb 21 04:34:17 DEMOHOSTNAME %CYBERARK: MessageID="236";Version="8.10.0000";Message="Backup Metadat'
Feb 21 04:38:19 demohostname nw[30902]: [SYSLOG] [warning] Unidentified content from xx.xx.xx.xxreceived on receiver: 'Feb 21 04:38:20 DEMOHOSTNAME %CYBERARK: MessageID="51";Version="8.10.0000";Message="Retrieve File";'
Feb 21 04:38:19 demohostname nw[30902]: [SYSLOG] [warning] Unidentified content from xx.xx.xx.xxreceived on receiver: 'Feb 21 04:38:20 DEMOHOSTNAME %CYBERARK: MessageID="51";Version="8.10.0000";Message="Retrieve File";'
Feb 21 04:39:30 demohostname nw[30902]: [SYSLOG] [warning] Unidentified content from xx.xx.xx.xx received on receiver: 'Feb 21 04:39:30 DEMOHOSTNAME %CYBERARK: MessageID="194";Version="8.10.0000";Message="Backup Process'



Logs don't appear in the Investigation module, even as 'unknown'.
Resolution

RSA Security Analytics Log Decoder very strictly adheres to RFC5424. The above error is due to the missing "Priority" field in the syslog packets. The error "unindentified content" is encountered if the first character of the log is not a '[' or '<'.


This issue may be resolved setting the dbparam.ini parameter in Cyber-Ark v7.10.0060 as follows:



UseLegacySyslogFormat=no/




If it still does not identify the syslog messages, then perform the following
- Modify the dbparam.ini to point to the translator file CyberArk_RSAEnvision.xsl attached to the article
- In the same /syslog folder on the CyberArk vault, upload the RFC5424Changes.xsl file


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa65016

Outcomes