- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: SIEM received three logs with a same loguid
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIEM received three logs with a same loguid
Hi guys,
We are trying to integrated SMS with our SIEM via Log Exporter.
But our SIEM seems to received a log three times ,and the fields in logs are different:
Could we do some changes to avoid this?
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
After the first log is being sent to the log server, additional update can be created by the GW and those are being also send to the log server. Each update considered to be individual log.
The log exporter has 2 running modes:
1. Raw (default) - in this mode the updates will be exporter as is, meaning, just the delta
2. Semi unified - in this mode, the log exporter will export an aggregated version of the log (with all the data) for every update
If you are using Splunk, you can take a look at our new app for Splunk. The queries we implemented there can join the duplicated data (in semi unified mode) and show you just the latest one.
Thanks!
Dan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dan,
yes, I noticed the read mode could be the key.
We are not using Splunk but we tried semi-unified right now.
And how could I identify the logs?
I believe some fields,like loguid,should be included in every logs ,even the update logs.right?
When I use raw mode, my SIEM could correlate the logs from a same loguid to a complete log.
