majo1 :
First to your specific challenge: since the events are Syslog, they require setting up the Syslog connector rather than, or in addition to, the CEF connector. As things are now, the Syslog messages are rejected.
To have a single connector VM support both CEF and Syslog:
- Install the CEF connector VM using the instructions in the connector page (the new procedure in case yours was setup before October).
- Configure the facilities & priorities that you want to get Syslog messages of using Settings -> Workspace Settings -> Advanced Settings -> Data -> Syslog
- Make sure that the facility/priority combination used by your CEF source is not configured for Syslog collection
That’s it. If #3 is not doable, we will have to revert to config file editing on the VM.
As to your question:
- You will need custom parsers as described in the custom connector blog post.
- A troubleshooting script is available for CEF. For Syslog I suggest working with support.
- Having a connector listed in the connector page implies parsing, however most of them are CEF, which means parsed as sent. This does not hold true for the list here.
Microsoft
