cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

LogExporter IPS logs to ArcSight CEF

Hello,

 

Is anyone sending logs to ArcSight and is using the IPS blade? 

Im having an issue where these specific logs are not sending the destination address.

This only happens with IPS events, the rest of the blades do send the fields I need.

 

This is on R80.10 latest JHF smartevent and gateways.

 

0 Kudos
5 Replies

Re: LogExporter IPS logs to ArcSight CEF

We have same issue.

I opened a SR, but TAC just said to use LEA.

0 Kudos
Admin
Admin

Re: LogExporter IPS logs to ArcSight CEF

Log Exporter is the preferred solution for exporting to a SIEM going forward. If TAC is telling you otherwise, please escalate the ticket.

In this specific case, it sounds like a bug and ensure a Task is filed with R&D. @Dan_Zada 

0 Kudos
Employee+
Employee+

Re: LogExporter IPS logs to ArcSight CEF

Hi,

Which reading mode are you using (see SK122323).

If you are using "raw", it might be that you get 2 log fragments, but if you will change it to semi-unified, each time a log fragment will be received to the log server, it will export the full log (all data it had until that point).

 

You can read more about reading-modes in SK122323.

 

Thanks!

Dan.

0 Kudos

Re: LogExporter IPS logs to ArcSight CEF

Its all on default settings.

It would seem weird that it doesnt have destination on these particular IPS events. All others work correctly.
0 Kudos

Re: LogExporter IPS logs to ArcSight CEF

I should do this as part of the SR?

I did open an SR and escalating team just asked for tcpdumps when I see IPS events, to basically confirm 1 of 2 outcomes:

 

1- ArcSight is doing something and dropping the mapping, which I know it doesnt since raw events are not showing this.

2- Log Exporter on anything below R80.30 doesnt have great support sending/mapping this info easily. Support doesnt really recommend upgrading to R80.30 in critical production environments.

 

 

 

 

 

 

 

0 Kudos