Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
lmediavilla
Explorer

Cef forwarding missing IPS fields

Hello,

I have an MDS setup with and MLM applicance. I have a problem in the IPs logs when I forward them using CEF format.
I have the standard file "CefFieldsMapping.xml" under "/opt/CPrt-R81.10/log_exporter/conf"

When I get an event that shows on Sentinel with DeviceProduct as SmartDefense  and DeviceEventClassID as IPS I don't get any information from Forensics detail or Advanced Forensics detail.

I get other fields like the Ip addresses CVE action source system... but no forensic information.

 

Is there a possibility to forward that missing part of the logs?

 

Kind regards.

0 Kudos
2 Replies
Amir_Senn
Employee
Employee

Thoughts and questions:

a. Same results for raw and semi-unified?

b. Other formats work well or you haven't tried?

c. Mostly under forensics we have pcap and sometimes other information changing from protection to protection. For pcap we have a special flag that adds link to open pcap via SmartView. You can find it and other optional flag in Log Exporter SK under Advanced Deployment - Additional Commands - Parameters.

Hope this at least help in some part.

Kind regards, Amir Senn
0 Kudos
lmediavilla
Explorer

Hello,

same result changing emi-unified to raw format

same result in syslog format.

The IPS does not have the forensic fields and the action.

I can add the link to the smartview but that is not what I want. I want the log exported so another tool can check it automatically.

Kind regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events