3 Replies Latest reply on Mar 27, 2014 8:57 AM by steven.goldberg@citizensfla.co

    ManageEngine.xml (Password Manager Pro) Syslog Connector not working

    steven.goldberg@citizensfla.co

      For some reason all events are unmatched.  Any insight would be appreciated.   Thanks in advance... Steve

       

      Here’s a simple, single event example that maybe someone can identify why the PMPro Connector can’t parse it right.  This was a user audit event of logging into the application.  The connector suggests the event should be recognized as alertname=”UserLogon”.

       

      1.  Here is the entry from syslog7 on LEM:

      1395421738000  172.17.4.39 N/A:companyworkstation.companydomain.com User_Logged_in_-_AD  2014/03/21 13:09:00 Success Server-PMPro1  John_Smith:Authenticated_by_AD_and_one_time_password_sent_through_Email

       

      2.  Here are the appropriate sections of the connector ManageEngine.xml file:

       

      <?xml version="1.0" ?>

       

      - <FASTConfiguration
      _type
      ="null">

      - <DefaultReaderConfiguration
      _type
      ="null" autoStart="true" categoryTags="syslog"
      description
      ="ManageEngine Password Manager
      Pro
      " fullDescription="Stores and Manages sensitive information" logInterval="1"
      logLocation
      ="/var/log/local7.log" logManagementOutput="10.254.10.18"
      logManagementPort
      ="10101" logStartPoint="-1"
      logType
      ="UnixSyslogFileReader" node="manager,spop"
      readerName
      ="ManageEngine" readerOutput="Alert"
      stateVars
      ="logStartPoint,readerName" toolId="ManageEngine"
      toolType
      ="Application" vendor="ZohoCorp"
      version
      ="$Revision: #1 $">

      <file _type="null"
      attributeName
      ="logLocation" enabled="true"
      formatRule
      ="" formatted="false" labelText="Log
      File:
      " preferredOrder="1"
      toolTipText
      ="Directory or path to read
      from
      " visible="true" />
      <string _type="null"
      attributeName
      ="logManagementOutput" enabled="false"
      formatRule
      ="" formatted="false" guiVersion="4"
      labelText
      ="nDepth Host:" preferredOrder="91"
      toolTipText
      ="Hostname of the nDepth appliance to
      receive log data
      " visible="false" />
      <integer _type="null"
      attributeName
      ="logManagementPort" enabled="false"
      guiVersion
      ="4" labelText="nDepth Port:" maxValue="32000"
      minValue
      ="0" preferredOrder="92" toolTipText="Port
      number of the nDepth appliance to receive log data
      " visible="false" />
      <select _type="null"
      attributeName
      ="readerOutput" enabled="false"
      guiVersion
      ="4" labelText="Output:" preferredOrder="90"
      selectItems
      ="Alert;InDepth;Alert,
      InDepth
      " toolTipText="Data routing (normalized alerts to Manager and/or raw data
      to nDepth)
      " visible="false" />
      <integer _type="null"
      attributeName
      ="logInterval" enabled="true"
      labelText
      ="Sleep Time:" maxValue="3660"
      minValue
      ="1" preferredOrder="97" toolTipText="Number of seconds between log reads" visible="true" />
      <string _type="null"
      attributeName
      ="version" enabled="false"
      formatRule
      ="" formatted="false" labelText="Tool
      Version:
      " preferredOrder="99"
      toolTipText
      ="Tool version" visible="true" />
      <string _type="null"
      attributeName
      ="toolId" enabled="false"
      formatRule
      ="" formatted="false" labelText="Wrapper
      Name:
      " preferredOrder="98"
      toolTipText
      ="Tool Identifier" visible="true" />
      </DefaultReaderConfiguration>

       

      - <FastToolId
      _type
      ="null" description="ManageEngine Password
      Manager Pro
      " id="ManageEngine"
      version
      ="59" version_type="int">
      - <FastPattern
      _type
      ="null" alertName="UserLogon" description="1,
      UserLogon: User_Logged_in
      "
      matcher
      ="(\d+) ([\w.]+) (\S+):([\w.]+) \S+
      ([/.:\d ]+) (?:[Ss]uccess|[Ff]ailure)? \S+ ([^:]*).*
      " pattern="^\d+
      [\w.]+ \S+:[\w.]+ User_Logged_in
      "
      version
      ="5" version_type="int">
      <FastField _type="null" defaultValue="Logon "$6" from "$4""
      fieldName
      ="EventInfo" type="1" type_type="int"
      version
      ="3" version_type="int" />
      <FastField _type="null" defaultValue="$2"
      fieldName
      ="DetectionIP" type="1" type_type="int"
      version
      ="1" version_type="int" />
      <FastField _type="null" defaultValue="$1"
      fieldName
      ="DetectionTime" type="4" type_type="int"
      version
      ="1" version_type="int" />
      <FastField _type="null" defaultValue="1"
      fieldName
      ="ProviderSID" type="1" type_type="int"
      version
      ="1" version_type="int" />
      <FastField _type="null" defaultValue="$3"
      fieldName
      ="SourceAccount" type="1" type_type="int"
      version
      ="3" version_type="int" />
      <FastField _type="null" defaultValue="$6"
      fieldName
      ="DestinationAccount" type="1" type_type="int"
      version
      ="1" version_type="int" />
      <FastField _type="null" defaultValue="$4"
      fieldName
      ="SourceMachine" type="1" type_type="int"
      version
      ="1" version_type="int" />
      </FastPattern>

      ...

      ...

      ...

      - <FastPattern
      _type
      ="null" alertName="InternalNewToolData" description="InternalNewToolData, Unmatched ManageEngine Data" matcher="(\d+)
      ([\w.]+) \S+:[\w.]+.*
      "
      pattern
      ="^\d+ [\w.]+ \S+:[\w.]+" version="5"
      version_type
      ="int">
      <FastField _type="null" defaultValue="Unmatched ManageEngine Data ($Revision: #1 $)" fieldName="EventInfo"
      type
      ="1"
      type_type
      ="int" version="2" version_type="int" />
      <FastField _type="null" defaultValue="$2"
      fieldName
      ="DetectionIP" type="1" type_type="int"
      version
      ="1" version_type="int" />
      <FastField _type="null" defaultValue="$1"
      fieldName
      ="DetectionTime" type="4" type_type="int"
      version
      ="1" version_type="int" />
      <FastField _type="null" defaultValue="$0"
      fieldName
      ="ExtraneousInfo" type="1" type_type="int"
      version
      ="1" version_type="int" />
      </FastPattern>
      <FastPattern _type="null" alertName=""
      alertName_type
      ="null" description="Black
      Hole
      " matcher=".*"
      pattern
      =".*" version="2" version_type="int" />

      </FastToolId>

       

      </FASTConfiguration>

       

      3.  Event recorded in nDepth

      InternalNewToolData   Unmatched ManageEngine Data ($Revision: #1$)  swi-lem   swi-lem    172.2.2.100  Fri Mar 21 13:08:58 GMT-0400 2014  Fri Mar 21 13:08:58 GMT-0400 2014   2    PMPro    1395421738000 172.2.2.100 N/A:companyworkstation.companydomain.com User_Logged_in_-_AD 2014/03/21 13:09:00 Success Server-PMPro1 John_Smith:Authenticated_by_AD_and_one_time_password_sent_through_Email

       

      4.  Format PMPro indicates it sends the data to syslog:

      Syslog message format in case of user audit will be
      operatedName+":"+operatedIp,operationType,operatedDate,statusMess,auditUserName+":"+reason

      example:  admin:127.0.0.1  Account_Added  2009/12/23 11:39:00  Success  pmp_test  windows-server1:account1:Testing