Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rodrigo_Castell
Contributor

LogExporter IPS logs to ArcSight CEF

Hello,

 

Is anyone sending logs to ArcSight and is using the IPS blade? 

Im having an issue where these specific logs are not sending the destination address.

This only happens with IPS events, the rest of the blades do send the fields I need.

 

This is on R80.10 latest JHF smartevent and gateways.

 

0 Kudos
5 Replies
Juhyung_Lee
Explorer

We have same issue.

I opened a SR, but TAC just said to use LEA.

0 Kudos
PhoneBoy
Admin
Admin

Log Exporter is the preferred solution for exporting to a SIEM going forward. If TAC is telling you otherwise, please escalate the ticket.

In this specific case, it sounds like a bug and ensure a Task is filed with R&D. @Dan_Zada 

0 Kudos
Dan_Zada
Employee
Employee

Hi,

Which reading mode are you using (see SK122323).

If you are using "raw", it might be that you get 2 log fragments, but if you will change it to semi-unified, each time a log fragment will be received to the log server, it will export the full log (all data it had until that point).

 

You can read more about reading-modes in SK122323.

 

Thanks!

Dan.

0 Kudos
Rodrigo_Castell
Contributor

Its all on default settings.

It would seem weird that it doesnt have destination on these particular IPS events. All others work correctly.
0 Kudos
Rodrigo_Castell
Contributor

I should do this as part of the SR?

I did open an SR and escalating team just asked for tcpdumps when I see IPS events, to basically confirm 1 of 2 outcomes:

 

1- ArcSight is doing something and dropping the mapping, which I know it doesnt since raw events are not showing this.

2- Log Exporter on anything below R80.30 doesnt have great support sending/mapping this info easily. Support doesnt really recommend upgrading to R80.30 in critical production environments.

 

 

 

 

 

 

 

0 Kudos