This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dawei_Ye
Collaborator
‎2019-07-07 09:47 PM

SIEM received three logs with a same loguid

Hi guys,

 

We are trying to integrated SMS with our SIEM via Log Exporter.

But our SIEM seems to received a log three times ,and the fields in logs are different:

01.png02.jpg03.png

Could we do some changes to avoid this?

 

Regards

0 Kudos
2 Replies
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2019-07-08 12:06 AM

Hi

After the first log is being sent to the log server, additional update can be created by the GW and those are being also send to the log server. Each update considered to be individual log.

The log exporter has 2 running modes:

1. Raw (default) - in this mode the updates will be exporter as is, meaning, just the delta

2. Semi unified - in this mode, the log exporter will export an aggregated version of the log (with all the data) for every update

 

If you are using Splunk, you can take a look at our new app for Splunk. The queries we implemented there can join the duplicated data (in semi unified mode) and show you just the latest one.

 

Thanks!

Dan.

 

0 Kudos
Dawei_Ye
Collaborator
‎2019-07-08 08:31 AM
In response to Dan_Zada

Hi Dan,

yes, I noticed the read mode could be the key.

 

We are not using Splunk but we tried semi-unified right now.

 

And how could I identify the logs?

I believe some fields,like loguid,should be included in every logs ,even the update logs.right?

 

When I use raw mode, my SIEM could correlate the logs from a same loguid to a complete log.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events