Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sumit
Participant

Fields dstination ip, ports missing in raw logs sent to QRadar

Jump to solution

Hi,

I am using Log Exporter (Leef) format for QRadar.

However, I cannot see complete logs, especially in IPS "Exploits" logs. I can only see the source IP, but not the destination IP, destination port, or source port in the logs in my QRadar.

Those fields are needed for the automation we have in-place which worked well with opsec/lea.

May I get the steps to get complete IPS logs. I am using version R81. 

Regards,

Sumit

0 Kudos
1 Solution

Accepted Solutions
Sumit
Participant

Solved.

In case if anyone is interested, set log type as semi-unified in expert mode, as command below

cp_log_export set name <name> read-mode semi-unified

command to view log exporters:

cp_log_export show

 

If log exporter is created using SmartConsole UI,

1. In Objects > Servers > Log Exporter/SIEM, select the object.

2. Right click on object and select Edit.

3. In Left Pane, select Data Manipulation.

4. Check "Aggregate log updates before export".

5. Publish and Install Policy. 

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
0 Kudos
Sumit
Participant

Solved.

In case if anyone is interested, set log type as semi-unified in expert mode, as command below

cp_log_export set name <name> read-mode semi-unified

command to view log exporters:

cp_log_export show

 

If log exporter is created using SmartConsole UI,

1. In Objects > Servers > Log Exporter/SIEM, select the object.

2. Right click on object and select Edit.

3. In Left Pane, select Data Manipulation.

4. Check "Aggregate log updates before export".

5. Publish and Install Policy. 

View solution in original post

0 Kudos