Solved: Sending SIEM Mcafee logs

FabioLima1 · ‎2023-05-31

Hello everyone, everything good ? I need help.

I configured the log exporter but the events that arrive at the siem are very low, below the evidence.

name: LOG_EXP domain-server: : CK
enabled: true
target-server: 10.0.1.1
target-port: 514
protocol: udp
format: syslog
read-mode: raw
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: false
reconnect-interval: Not configured, using default

Logs

[4011834176][31 May 12:09:42] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=2 buffers (0/0/0/0)
[4028619584][31 May 12:09:47] Files read rate [log] : Current=0 Avg=0 MinAvg=0 Total=13 buffers (0/0/0/0)
[4028619584][31 May 12:09:47] Sent current: 0 average: 0 total: 0
[4011834176][31 May 12:09:47] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=2 buffers (0/0/0/0)
[4028619584][31 May 12:09:52] Files read rate [log] : Current=0 Avg=0 MinAvg=0 Total=13 buffers (0/0/0/0)
[4028619584][31 May 12:09:52] Sent current: 0 average: 0 total: 0
[4011834176][31 May 12:09:52] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=2 buffers (0/0/0/0)

PhoneBoy · ‎2023-06-05

I don't believe configuring Log Exporter at the MDS level will export the logs from the various CMAs.
Each Domain would need to have Log Exporter configured on it.

View solution in original post

Chris_Atkinson · ‎2023-05-31

What troubleshooting have you already done and which version and JHF is the Management in this case?

Have you implemented any filters that we should be aware of?

CCSM R77/R80/ELITE

FabioLima1 · ‎2023-06-01

Version81.10 JHF 78

what I did for troubleshooting was to analyze the logs.

PhoneBoy · ‎2023-06-01

To be honest, I'm not sure what "evidence" you're showing here.
What precise commands generated this output or what precise logs did you pull this output from?

Do you see traffic flowing to the destination syslog server with tcpdump?

FabioLima1 · ‎2023-06-01

I see syn packages but not the syn/ack

PhoneBoy · ‎2023-06-01

A SYN/ACK would come from the remote syslog server in this case.
If you're not getting that, it means there's a basic networking problem (either routing, a middle device blocking the traffic, or both).

FabioLima1 · ‎2023-06-01

I made the change to use the sending using the udp protocol instead of tcp, now the Siem team informs me that the volume of logs is low

PhoneBoy · ‎2023-06-01

By what reasoning have your SIEM team concluded that "the volume of logs is low"?
Detailed comparisons of what's in SmartView versus the SIEM would need to be made starting from the moment logs started flowing via Log Exporter.
In general, the amount of logs sent by Log Exporter should be proportional to the current logs received on the logging server.

the_rock · ‎2023-06-01

@FabioLima1 We definitely need more info here to be able to help you out better. When you indicate SIEM team told you volume of logs is low, Im not sure how to "digest" that info. Are they expecting to see certain amount of logs per minute/hour/day? Whatever you see as far as amount of logs on whatever log server it is, thats what should show up on SIEM side.

We use SIEM for few customers and so far, no issues as far as logs being received from the config we did in Smart-1 cloud environment.

Again, maybe doing some basic packet captures may help.

Andy

Best,
Andy

the_rock · ‎2023-06-02

Hey mate,

Were you able to look into things we mentioned?

Andy

Best,
Andy

FabioLima1 · ‎2023-06-02

I did the capture and I see the logs going towards Siem. One question, I configured the export log in the MDS, can you tell me if the mds sends logs or only the cma and cml that forward the logs?

PhoneBoy · ‎2023-06-05

I don't believe configuring Log Exporter at the MDS level will export the logs from the various CMAs.
Each Domain would need to have Log Exporter configured on it.

Are you a member of CheckMates?

Sending SIEM Mcafee logs