Re: SIEM received three logs with a same loguid

Dawei_Ye · ‎2019-07-07

Hi guys,

We are trying to integrated SMS with our SIEM via Log Exporter.

But our SIEM seems to received a log three times ,and the fields in logs are different:

Could we do some changes to avoid this?

Regards

Dan_Zada · ‎2019-07-08

Hi

After the first log is being sent to the log server, additional update can be created by the GW and those are being also send to the log server. Each update considered to be individual log.

The log exporter has 2 running modes:

1. Raw (default) - in this mode the updates will be exporter as is, meaning, just the delta

2. Semi unified - in this mode, the log exporter will export an aggregated version of the log (with all the data) for every update

If you are using Splunk, you can take a look at our new app for Splunk. The queries we implemented there can join the duplicated data (in semi unified mode) and show you just the latest one.

Thanks!

Dan.

Dawei_Ye · ‎2019-07-08

Hi Dan,

yes, I noticed the read mode could be the key.

We are not using Splunk but we tried semi-unified right now.

And how could I identify the logs?

I believe some fields,like loguid,should be included in every logs ,even the update logs.right?

When I use raw mode, my SIEM could correlate the logs from a same loguid to a complete log.

Are you a member of CheckMates?

SIEM received three logs with a same loguid