Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MattDunn
Advisor

Syslog Question

My customer is using Darktrace (or part of it?) to collate firewall logs and do stuff with the data. 

Part of what they want is to get data on user VPN login data, including the OM IP.  They use Mobile Access.

I've set up Log Exporter to send them the data, but they take each log "line" and process it.  They can't merge multiple log lines with the same loguid into a single log. 

The problem is that not all data is included in each line.  One line shows the "Log In" with the username (presumably the MAB portal login), then when they open the SNX popup to get full network access, that log line shows the OM IP but not the username.  

Is there a way to only send the collated log to the SNMP server?

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I assume you mean syslog server.
Sounds like supporting Darktrace as a Log Export target is an RFE.
Don’t think the filtering options only support “correlated” logs though I guess you could filter out logs that don’t include a username and OM IP.

0 Kudos
MattDunn
Advisor

They (Darktrace) accept syslog logs.  I think it is essentially just a syslog server with some fancy wrap around featres.

The company setting up the Darktrace system say they have another customer sending Check Point logs to them which does show the username and OM IP in the same log.  They can't tell me any more detail about that customer though, or how they do it.

I wonder if there's a difference when using the full fat client instead of MAB/SNX?  Maybe full fat shows the "Log In" event with username and OM in the same log?  I'll have to try and test that...

At the moment Darktrace are only collecting "Log In" logs.  It's just unfortunate that CP sends one line with the username, and a separate line with the OM IP 🙄

Ah well, thought I'd ask in case I was missing something easy 🤣

0 Kudos