This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

ManageEngine.xml (Password Manager Pro) Syslog Connector not working

For some reason all events are unmatched.  Any insight would be appreciated.   Thanks in advance... Steve

Here’s a simple, single event example that maybe someone can identify why the PMPro Connector can’t parse it right.  This was a user audit event of logging into the application.  The connector suggests the event should be recognized as alertname=”UserLogon”.

1.  Here is the entry from syslog7 on LEM:

1395421738000  172.17.4.39 N/A:companyworkstation.companydomain.com User_Logged_in_-_AD  2014/03/21 13:09:00 Success Server-PMPro1  John_Smith:Authenticated_by_AD_and_one_time_password_sent_through_Email

2.  Here are the appropriate sections of the connector ManageEngine.xml file:

<?xml version="1.0" ?>

- <FASTConfiguration
_type
="null">

- <DefaultReaderConfiguration
_type
="null" autoStart="true" categoryTags="syslog"
description
="ManageEngine Password Manager
Pro
" fullDescription="Stores and Manages sensitive information" logInterval="1"
logLocation
="/var/log/local7.log" logManagementOutput="10.254.10.18"
logManagementPort
="10101" logStartPoint="-1"
logType
="UnixSyslogFileReader" node="manager,spop"
readerName
="ManageEngine" readerOutput="Alert"
stateVars
="logStartPoint,readerName" toolId="ManageEngine"
toolType
="Application" vendor="ZohoCorp"
version
="$Revision: #1 $">

<file _type="null"
attributeName
="logLocation" enabled="true"
formatRule
="" formatted="false" labelText="Log
File:
" preferredOrder="1"
toolTipText
="Directory or path to read
from
" visible="true" />
<string _type="null"
attributeName
="logManagementOutput" enabled="false"
formatRule
="" formatted="false" guiVersion="4"
labelText
="nDepth Host:" preferredOrder="91"
toolTipText
="Hostname of the nDepth appliance to
receive log data
" visible="false" />
<integer _type="null"
attributeName
="logManagementPort" enabled="false"
guiVersion
="4" labelText="nDepth Port:" maxValue="32000"
minValue
="0" preferredOrder="92" toolTipText="Port
number of the nDepth appliance to receive log data
" visible="false" />
<select _type="null"
attributeName
="readerOutput" enabled="false"
guiVersion
="4" labelText="Output:" preferredOrder="90"
selectItems
="Alert;InDepth;Alert,
InDepth
" toolTipText="Data routing (normalized alerts to Manager and/or raw data
to nDepth)
" visible="false" />
<integer _type="null"
attributeName
="logInterval" enabled="true"
labelText
="Sleep Time:" maxValue="3660"
minValue
="1" preferredOrder="97" toolTipText="Number of seconds between log reads" visible="true" />
<string _type="null"
attributeName
="version" enabled="false"
formatRule
="" formatted="false" labelText="Tool
Version:
" preferredOrder="99"
toolTipText
="Tool version" visible="true" />
<string _type="null"
attributeName
="toolId" enabled="false"
formatRule
="" formatted="false" labelText="Wrapper
Name:
" preferredOrder="98"
toolTipText
="Tool Identifier" visible="true" />
</DefaultReaderConfiguration>

- <FastToolId
_type
="null" description="ManageEngine Password
Manager Pro
" id="ManageEngine"
version
="59" version_type="int">
- <FastPattern
_type
="null" alertName="UserLogon" description="1,
UserLogon: User_Logged_in
"
matcher
="(\d+) ([\w.]+) (\S+):([\w.]+) \S+
([/.:\d ]+) (?:[Ss]uccess|[Ff]ailure)? \S+ ([^:]*).*
" pattern="^\d+
[\w.]+ \S+:[\w.]+ User_Logged_in
"
version
="5" version_type="int">
<FastField _type="null" defaultValue="Logon "$6" from "$4""
fieldName
="EventInfo" type="1" type_type="int"
version
="3" version_type="int" />
<FastField _type="null" defaultValue="$2"
fieldName
="DetectionIP" type="1" type_type="int"
version
="1" version_type="int" />
<FastField _type="null" defaultValue="$1"
fieldName
="DetectionTime" type="4" type_type="int"
version
="1" version_type="int" />
<FastField _type="null" defaultValue="1"
fieldName
="ProviderSID" type="1" type_type="int"
version
="1" version_type="int" />
<FastField _type="null" defaultValue="$3"
fieldName
="SourceAccount" type="1" type_type="int"
version
="3" version_type="int" />
<FastField _type="null" defaultValue="$6"
fieldName
="DestinationAccount" type="1" type_type="int"
version
="1" version_type="int" />
<FastField _type="null" defaultValue="$4"
fieldName
="SourceMachine" type="1" type_type="int"
version
="1" version_type="int" />
</FastPattern>

...

...

...

- <FastPattern
_type
="null" alertName="InternalNewToolData" description="InternalNewToolData, Unmatched ManageEngine Data" matcher="(\d+)
([\w.]+) \S+:[\w.]+.*
"
pattern
="^\d+ [\w.]+ \S+:[\w.]+" version="5"
version_type
="int">
<FastField _type="null" defaultValue="Unmatched ManageEngine Data ($Revision: #1 $)" fieldName="EventInfo"
type
="1"
type_type
="int" version="2" version_type="int" />
<FastField _type="null" defaultValue="$2"
fieldName
="DetectionIP" type="1" type_type="int"
version
="1" version_type="int" />
<FastField _type="null" defaultValue="$1"
fieldName
="DetectionTime" type="4" type_type="int"
version
="1" version_type="int" />
<FastField _type="null" defaultValue="$0"
fieldName
="ExtraneousInfo" type="1" type_type="int"
version
="1" version_type="int" />
</FastPattern>
<FastPattern _type="null" alertName=""
alertName_type
="null" description="Black
Hole
" matcher=".*"
pattern
=".*" version="2" version_type="int" />

</FastToolId>

</FASTConfiguration>

3.  Event recorded in nDepth

InternalNewToolData   Unmatched ManageEngine Data ($Revision: #1$)  swi-lem   swi-lem    172.2.2.100  Fri Mar 21 13:08:58 GMT-0400 2014  Fri Mar 21 13:08:58 GMT-0400 2014   2    PMPro    1395421738000 172.2.2.100 N/A:companyworkstation.companydomain.com User_Logged_in_-_AD 2014/03/21 13:09:00 Success Server-PMPro1 John_Smith:Authenticated_by_AD_and_one_time_password_sent_through_Email

4.  Format PMPro indicates it sends the data to syslog:

Syslog message format in case of user audit will be
operatedName+":"+operatedIp,operationType,operatedDate,statusMess,auditUserName+":"+reason

example:  admin:127.0.0.1  Account_Added  2009/12/23 11:39:00  Success  pmp_test  windows-server1:account1:Testing