- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: LogExporter IPS logs to ArcSight CEF
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LogExporter IPS logs to ArcSight CEF
Hello,
Is anyone sending logs to ArcSight and is using the IPS blade?
Im having an issue where these specific logs are not sending the destination address.
This only happens with IPS events, the rest of the blades do send the fields I need.
This is on R80.10 latest JHF smartevent and gateways.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have same issue.
I opened a SR, but TAC just said to use LEA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log Exporter is the preferred solution for exporting to a SIEM going forward. If TAC is telling you otherwise, please escalate the ticket.
In this specific case, it sounds like a bug and ensure a Task is filed with R&D. @Dan_Zada
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Which reading mode are you using (see SK122323).
If you are using "raw", it might be that you get 2 log fragments, but if you will change it to semi-unified, each time a log fragment will be received to the log server, it will export the full log (all data it had until that point).
You can read more about reading-modes in SK122323.
Thanks!
Dan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would seem weird that it doesnt have destination on these particular IPS events. All others work correctly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should do this as part of the SR?
I did open an SR and escalating team just asked for tcpdumps when I see IPS events, to basically confirm 1 of 2 outcomes:
1- ArcSight is doing something and dropping the mapping, which I know it doesnt since raw events are not showing this.
2- Log Exporter on anything below R80.30 doesnt have great support sending/mapping this info easily. Support doesnt really recommend upgrading to R80.30 in critical production environments.
