Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JS_FW
Participant

Log Exporter monitoring, and position "catch up"

Hi there,

We've recently migrated to Log Exporter from OPSEC LEA (R80.20 SMS), exporting to LogRhythm. For the most part things are working great. Unfortunately, our IR team is reporting gaps in our logs. Wanted to know if there was a way to monitor for when the service restarts, and if there is a way to "catch up" from the last transmitted log point. There was a position marker they were able to use when they were pulling from OPSEC LEA, but now that we are pushing, they can't use that.

Any help or guidance appreciated.

0 Kudos
2 Replies
Shay_Hibah
Employee Alumnus
Employee Alumnus

Hi @JS_FW 

I'm happy to hear you moved to Log Exporter solution.

When Log Exporter process stops/starts/restarts, logs are written to log file located in $EXPORTERDIR/targets/<exporter_name>/log/log_indexer.elg

 

After restart, Log Exporter keep exporting logs from the point it stopped.

This data can be found in $EXPORTERDIR/targets/<exporter_name>/data/FetchedFiles but this data is not exported to LogRhythm and not so intuitive to use.

I'm curious what your gaps are - maybe I can give you solution for that.

Are you able to specify your issues?

 

Thanks,

Shay

 

0 Kudos
JS_FW
Participant

Hi Shay, thanks kindly for the response. I believe our SE mentioned your name when we were discussing this issue.

According to our Incident Response team, there are gaps in the timestamps of the logs themselves.

For now we have a band-aid in place - a cronjob that restarts the log exporter service every 30 minutes. Unfortunately this is not a viable long term solution. I am currently working with the TAC and have sent cpinfo and core dumps, in order to research what the potential cause of the issue is.

Cheers!

Joel

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events