Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marius_Iversen
Explorer

Long term plan for Log Exporter SIEM integration

So with Log Exporter now supporting formats for Splunk, ArcSight and so on, i just wondered if these formats have any formal agreement with vendors that these will be kept up to date.

Taking ArcSight(MicroFocus) as an example, there is several patterns seen with other vendor integration that they kind of get "lost over time". Checkpoints long term roadmap might offer new blades, or changes to their log format, and the Log Exporter might not always be kept up to date.

I am not looking for any official confirmation that i can quote on, it's just out of curiosity and it is good to keep in the back off my head, as our ArcSight integration with CP will grow larger and larger over time.

Do you feel that it is up to the vendor then to keep this up to date, or the SIEM vendor itself?

2 Replies
PhoneBoy
Admin
Admin

My personal take is that it requires support on both ends:

  • Check Point exporting the needed data
  • SIEM vendor properly parsing the data sent

Moving away from LEA to industry-standard syslog simplifies things, particularly for the SIEM vendor.

Marius_Iversen
Explorer

Yeah but in this case, as many others, it is actually the vendor that exports in the format supported by ArcSight. So if new solutions is not added to this export, or keeps the export in the correct format, it will be harder to support.

The other way around was if/when Checkpoints sends in pure syslog, then it is the SIEM's responsibility to keep the parsers up to date.

I feel that when Checkpoint decides to support the SIEM format from the start of the export chain, then it should still be MF's job to pick up that it has stopped working. Smiley Happy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events