topic Re: Sending SIEM Mcafee logs in Firewall and Security Management

Sending SIEM Mcafee logs

FabioLima1 — Wed, 31 May 2023 15:33:12 GMT

Hello everyone, everything good ? I need help.

I configured the log exporter but the events that arrive at the siem are very low, below the evidence.

name: LOG_EXP domain-server: : CK
enabled: true
target-server: 10.0.1.1
target-port: 514
protocol: udp
format: syslog
read-mode: raw
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: false
reconnect-interval: Not configured, using default

Logs

[4011834176][31 May 12:09:42] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=2 buffers (0/0/0/0)
[4028619584][31 May 12:09:47] Files read rate [log] : Current=0 Avg=0 MinAvg=0 Total=13 buffers (0/0/0/0)
[4028619584][31 May 12:09:47] Sent current: 0 average: 0 total: 0
[4011834176][31 May 12:09:47] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=2 buffers (0/0/0/0)
[4028619584][31 May 12:09:52] Files read rate [log] : Current=0 Avg=0 MinAvg=0 Total=13 buffers (0/0/0/0)
[4028619584][31 May 12:09:52] Sent current: 0 average: 0 total: 0
[4011834176][31 May 12:09:52] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=2 buffers (0/0/0/0)

Re: Sending SIEM Mcafee logs

Chris_Atkinson — Thu, 01 Jun 2023 00:41:30 GMT

What troubleshooting have you already done and which version and JHF is the Management in this case?

Have you implemented any filters that we should be aware of?

Re: Sending SIEM Mcafee logs

FabioLima1 — Thu, 01 Jun 2023 13:19:50 GMT

Version81.10 JHF 78

what I did for troubleshooting was to analyze the logs.

Re: Sending SIEM Mcafee logs

PhoneBoy — Thu, 01 Jun 2023 18:17:59 GMT

To be honest, I'm not sure what "evidence" you're showing here.
What precise commands generated this output or what precise logs did you pull this output from?

Do you see traffic flowing to the destination syslog server with tcpdump?

Re: Sending SIEM Mcafee logs

FabioLima1 — Thu, 01 Jun 2023 18:32:58 GMT

I see syn packages but not the syn/ack

Re: Sending SIEM Mcafee logs

PhoneBoy — Thu, 01 Jun 2023 19:00:08 GMT

A SYN/ACK would come from the remote syslog server in this case.
If you're not getting that, it means there's a basic networking problem (either routing, a middle device blocking the traffic, or both).

Re: Sending SIEM Mcafee logs

FabioLima1 — Thu, 01 Jun 2023 23:23:25 GMT

I made the change to use the sending using the udp protocol instead of tcp, now the Siem team informs me that the volume of logs is low

Re: Sending SIEM Mcafee logs

PhoneBoy — Thu, 01 Jun 2023 23:39:47 GMT

By what reasoning have your SIEM team concluded that "the volume of logs is low"?
Detailed comparisons of what's in SmartView versus the SIEM would need to be made starting from the moment logs started flowing via Log Exporter.
In general, the amount of logs sent by Log Exporter should be proportional to the current logs received on the logging server.

Re: Sending SIEM Mcafee logs

the_rock — Fri, 02 Jun 2023 02:04:09 GMT

@FabioLima1 We definitely need more info here to be able to help you out better. When you indicate SIEM team told you volume of logs is low, Im not sure how to "digest" that info. Are they expecting to see certain amount of logs per minute/hour/day? Whatever you see as far as amount of logs on whatever log server it is, thats what should show up on SIEM side.

We use SIEM for few customers and so far, no issues as far as logs being received from the config we did in Smart-1 cloud environment.

Again, maybe doing some basic packet captures may help.

Andy

Re: Sending SIEM Mcafee logs

the_rock — Fri, 02 Jun 2023 14:56:43 GMT

Hey mate,

Were you able to look into things we mentioned?

Andy

Re: Sending SIEM Mcafee logs

FabioLima1 — Fri, 02 Jun 2023 19:33:22 GMT

I did the capture and I see the logs going towards Siem. One question, I configured the export log in the MDS, can you tell me if the mds sends logs or only the cma and cml that forward the logs?

Re: Sending SIEM Mcafee logs

PhoneBoy — Mon, 05 Jun 2023 18:00:43 GMT

I don't believe configuring Log Exporter at the MDS level will export the logs from the various CMAs.
Each Domain would need to have Log Exporter configured on it.