cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Correlating logs from external log server

Hi all!

We have a distributed management/reporting deployment with 1 x R80.10 SmartCenter, 1 x R80.10 SmartEvent and 1 x R77.30.03 SmartEndpoint mgmt server. We have established opsec lea between SmartEvent and Endpoint Server, we receive the logs, the cpstat cpsead looks fine, we can find them under the smartlog, but we cannot find them under the "General Overview" tab. We have also defined "new event" type under the SmartEvent policy, but still couldn't get any correlated endpoint logs.

Would be maybe a better idea to send the endpoint server logs to the smartcenter and from there to the smartevent?

Do you have any idea on this?

Thx a lot!

Mircea

7 Replies
Admin
Admin

Re: Correlating logs from external log server

Of the three management objects (SmartEndpoint, SmartCenter, SmartEvent), which ones have SmartEvent Correlation Unit enabled on them?

0 Kudos

Re: Correlating logs from external log server

Hello Dameon,

Only the SmartEvent has the Correlation Unit enabled.

Thanks,

Mircea

0 Kudos
Admin
Admin

Re: Correlating logs from external log server

There are some differences between how R77.x does things and R80.x does things.

Normally I would suggest doing: How to configure an R80/R80.10 SmartEvent Server with an R77.x Security Management 

But since you're also using R80.10 Management, not sure this is the right answer.

Let me ping R&D Smiley Happy

0 Kudos
Highlighted

Re: Correlating logs from external log server

Sure, thx for your help!

⁣Sent from my phone​

0 Kudos

Re: Correlating logs from external log server

The default filters of R80.10 SmartEvent "Views" and "Reports" is exclude products from the Endpoint family.

So maybe the sk118525 is relevant for you.

Re: Correlating logs from external log server

Hello Evgenia,

Thank you, we will give it a try.

Thx,

Mircea

0 Kudos

Re: Correlating logs from external log server

Hi Evgenia!

Thank you for the solution. Maybe with R80.20 Endpoint will be fully supported by SmartEvent?

Thx again,

Mircea

⁣Sent from my phone​

0 Kudos