Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ChoiYunSoo
Participant

Do not match The number of logs in the GUI and the SIEM device.

Hello 

I am working to change the SIEM equipment linkage method of a customer from OPSEC to Log Exporter.

When I compare the logs of Smartconsole and the logs of SIEM, there are too many differences.

For example, The Smart console log generates about 5000 drop logs per second. 

However, only about 300 drop logs are visible for Siem equipment logs.

There is a difference of more than 10 times and I do not know the cause.

 

The linked server is Archisight 6.9 / smartconnector 7.15 and The architecture of the customer is as follows.

1.Management Server (R80.20, Take 127)
2.Log Server (R80.20, Take 127)
3.VRRP Gateway (R80.10, Take 249) - Firewall, IPS

 

Below is the log export information set to the customer.

 

export_show.png

filter_configuration.PNG

 

Due to the large amount of logs, it is really difficult to compare the number of packets.

What do I need to check to fix the above symptoms?

 

 

 

4 Replies
PhoneBoy
Admin
Admin

Can you provide some precise examples of logs that aren't showing on the SIEM?
This might be better handled via a TAC case.

ChoiYunSoo
Participant

We only compared the number of drop logs of Siem equipment and GUI Smartconsole. Due to the problem of time, it was difficult to check further, so I could not check the contents of inconsistent logs.

PhoneBoy
Admin
Admin

You should get a similar number of logs but you’re also only sending Firewall + IPS logs to the SIEM so there may be drops by additional blades you’re not seeing.
In any case, I recommend a TAC case to investigate.

0 Kudos
ChoiYunSoo
Participant

Thanks for your reply

 

The blades used by the firewall are Firewall and IPS.

It is logically difficult to understand what gets deleted by other blades.

I will submit the case to the TAC.

 

0 Kudos