We have a custom package that we use the query our datawarehouse. Because of new privacy policies, we now must log our queries. So we must add new functionality to our package.
When we query the datawarehouse, we must write an event in the system log (syslog). This event must adhere to the ArcSight CEF standard. Then the ArcSight SIEM (= Security Information and Event Management) harvests the event and stores it.
I tried using the rsyslog package for creating the event and writing it to syslog. However, the prefix of the message is wrong. According to the ArcSight CEF standard, it should only contain the date/time and host name. Also host name should be fully qualified, which is not the case. Because of this, the event is not harvested by the ArcSight SIEM.
Maybe I doing this all wrong. I would sure like to hear your opinion. Any help would be appreciated.