Pulse Secure 8.3R4 - Syslogs no longer parsed by A...

jchiffons · ‎03-22-2018

We upgraded our Pulse Secure to 8.3R4 and noticed the syslogs are no longer parsed in our ArcSight SIEM. We're running the latest connector parser from ArcSight, which looks like it supports up to 8.2. The other interesting thing is the syslog is identifying the product as HPE ProCurve and not Pulse Secure. Why was the logging changed? Is there a way to change back to the old logging format?

flipPipe · ‎03-27-2018

In the release notes for 8.3R4 there is change which could affect the parsing.

PRS-353185 Summary: Syslog export is improperly formatted for RFC5424 compliance.

And checking the RFCs it seems the message format change a lot.

https://tools.ietf.org/html/rfc5424#page-8

https://tools.ietf.org/html/rfc3164#section-4.1

Another change I notice, was the reduction of fields in the WELF format and the

inexistence of W3C format. Both these changes can be overcome by creating a custom filter.

zanyterp · ‎03-30-2018

What version were you using prior to the upgrade?
Are you seeing the syslog message from the PCS report itself as an HPE ProCurve or is the SIEM marking it as a ProCurve?
As flipPipe indicated, there was a change for RFC compliance in 8.3R4; this cannot be changed. Also, as flipPipe updated, you can create a custom log filter to match what you would like to see

Pulse Secure 8.3R4 - Syslogs no longer parsed by ArcSight

Pulse Secure 8.3R4 - Syslogs no longer parsed by ArcSight

Re: Pulse Secure 8.3R4 - Syslogs no longer parsed by ArcSight

Re: Pulse Secure 8.3R4 - Syslogs no longer parsed by ArcSight