Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Peter_nelson
Explorer

R80.30 Log Exporter not sending Audit Logs to ArcSight SIEM

I am running R80.30 Management Server and my Log Exporter config is not sending Audit Logs to ArcSight SIEM

 

name: UKArcSight
enabled: true
target-server: IP
target-port: 514
protocol: udp
format: cef
read-mode: raw
export-link: false
export-attachment-link: false

 

SIEM can see traffic logs, but not Audit Logs

0 Kudos
2 Replies
Shay_Hibah
Employee Alumnus
Employee Alumnus

Hi @Peter_nelson, 1. Are you able to see audit logs (.adtlog) under $FWDIR/log dir? 2. Can you please copy the tag (and all its childs) from your exporter targetConfiguration.xml file? Thanks, Shay
0 Kudos
mashls4
Explorer

Hi Shay,

 

We have a SMS in R80.30 ver. and we have the same issue with the audit logs. We see that audit logs are sending to the ArcSight SIEM (using tcpdump) but the information that we saw in the SIEM about audit logs is poor. I mean, We didn't have these problems in a R77.30 ver. 

With the information that is displayed in SIEM about audit logs, it's not possible to see what changes were made in SMS or if there was a policy installation or an object creation, etc.

I don't know if the cp_log_export function restricts information or there is some incompatibility with ArcSight Siem about audit logs.

 

Regards,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events