Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ohhdiddlediddle
Explorer

IPS logs in semi-unified

Hello All - I'm working with my client to set-up logging via syslog.

> Client has set-up syslog logging under "raw" mode and we are seeing IPS blade logs in the SIEM(514/UDP).

> We requested to set-up an additional logging using semi-unified for an another project on the same SIEM but on a different port (1514/UDP).

> I can see the IPS blade logs on the old log exporter but not on the new log exporter (1514/UDP).

> Client claims that there were no additional configuration that was performed by him for the old exporter.

> Is there an option that needs to be enabled separately to enable , to send IPS blade logs on the new exporter? 

 

[Expert@**hidden**:0]# cp_log_export show
name: **hidden**
enabled: true
target-server: **hidden**
target-port: 514
protocol: udp
format: syslog
read-mode: raw
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false

(new exporter)
name: **hidden**
enabled: true
target-server: **hidden**
target-port: 1514
protocol: udp
format: syslog
read-mode: semi-unified
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false

0 Kudos
2 Replies
Timothy_Hall
Champion
Champion

What happens if the 1514 exporter is set to raw of semi-unified?  The answer should tell you if it is an issue with the non-standard port number (like an implied rule or something) or the read-mode setting.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
ohhdiddlediddle
Explorer

Hello - I will certainly check the implied rules portion. The new exporter is set to semi-unified because of a testing that we would like to perform on the log collector. We have some issues with the parsing of IPS logs in raw mode so we would like to test the IPS logs under semi-unified mode.

 

0 Kudos