Create a Post
Showing results for 
Search instead for 
Did you mean: 

R80.30 Log Exporter not sending Audit Logs to ArcSight SIEM

I am running R80.30 Management Server and my Log Exporter config is not sending Audit Logs to ArcSight SIEM


name: UKArcSight
enabled: true
target-server: IP
target-port: 514
protocol: udp
format: cef
read-mode: raw
export-link: false
export-attachment-link: false


SIEM can see traffic logs, but not Audit Logs

0 Kudos
2 Replies
Employee Alumnus
Employee Alumnus

Hi @Peter_nelson, 1. Are you able to see audit logs (.adtlog) under $FWDIR/log dir? 2. Can you please copy the tag (and all its childs) from your exporter targetConfiguration.xml file? Thanks, Shay
0 Kudos

Hi Shay,


We have a SMS in R80.30 ver. and we have the same issue with the audit logs. We see that audit logs are sending to the ArcSight SIEM (using tcpdump) but the information that we saw in the SIEM about audit logs is poor. I mean, We didn't have these problems in a R77.30 ver. 

With the information that is displayed in SIEM about audit logs, it's not possible to see what changes were made in SMS or if there was a policy installation or an object creation, etc.

I don't know if the cp_log_export function restricts information or there is some incompatibility with ArcSight Siem about audit logs.



0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events