- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Do not match The number of logs in the GUI and...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do not match The number of logs in the GUI and the SIEM device.
Hello
I am working to change the SIEM equipment linkage method of a customer from OPSEC to Log Exporter.
When I compare the logs of Smartconsole and the logs of SIEM, there are too many differences.
For example, The Smart console log generates about 5000 drop logs per second.
However, only about 300 drop logs are visible for Siem equipment logs.
There is a difference of more than 10 times and I do not know the cause.
The linked server is Archisight 6.9 / smartconnector 7.15 and The architecture of the customer is as follows.
1.Management Server (R80.20, Take 127)
2.Log Server (R80.20, Take 127)
3.VRRP Gateway (R80.10, Take 249) - Firewall, IPS
Below is the log export information set to the customer.
Due to the large amount of logs, it is really difficult to compare the number of packets.
What do I need to check to fix the above symptoms?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide some precise examples of logs that aren't showing on the SIEM?
This might be better handled via a TAC case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We only compared the number of drop logs of Siem equipment and GUI Smartconsole. Due to the problem of time, it was difficult to check further, so I could not check the contents of inconsistent logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should get a similar number of logs but you’re also only sending Firewall + IPS logs to the SIEM so there may be drops by additional blades you’re not seeing.
In any case, I recommend a TAC case to investigate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply
The blades used by the firewall are Firewall and IPS.
It is logically difficult to understand what gets deleted by other blades.
I will submit the case to the TAC.
![](/skins/images/AB448BCC84439713A9D8F01A2EF46C82/responsive_peak/images/icon_anonymous_message.png)