Correlating logs from external log server

MIRCEA_MITROI1 · ‎2018-02-21

Hi all!

We have a distributed management/reporting deployment with 1 x R80.10 SmartCenter, 1 x R80.10 SmartEvent and 1 x R77.30.03 SmartEndpoint mgmt server. We have established opsec lea between SmartEvent and Endpoint Server, we receive the logs, the cpstat cpsead looks fine, we can find them under the smartlog, but we cannot find them under the "General Overview" tab. We have also defined "new event" type under the SmartEvent policy, but still couldn't get any correlated endpoint logs.

Would be maybe a better idea to send the endpoint server logs to the smartcenter and from there to the smartevent?

Do you have any idea on this?

Thx a lot!

Mircea

PhoneBoy · ‎2018-02-22

Of the three management objects (SmartEndpoint, SmartCenter, SmartEvent), which ones have SmartEvent Correlation Unit enabled on them?

MIRCEA_MITROI1 · ‎2018-02-22

Hello Dameon,

Only the SmartEvent has the Correlation Unit enabled.

Thanks,

Mircea

PhoneBoy · ‎2018-02-23

There are some differences between how R77.x does things and R80.x does things.

Normally I would suggest doing: How to configure an R80/R80.10 SmartEvent Server with an R77.x Security Management

But since you're also using R80.10 Management, not sure this is the right answer.

Let me ping R&D

MIRCEA_MITROI1 · ‎2018-02-23

Sure, thx for your help!

⁣Sent from my phone

Evgenia_Kritsky · ‎2018-02-26

The default filters of R80.10 SmartEvent "Views" and "Reports" is exclude products from the Endpoint family.

So maybe the sk118525 is relevant for you.

MIRCEA_MITROI1 · ‎2018-02-26

Hello Evgenia,

Thank you, we will give it a try.

Thx,

Mircea

MIRCEA_MITROI1 · ‎2018-03-01

Hi Evgenia!

Thank you for the solution. Maybe with R80.20 Endpoint will be fully supported by SmartEvent?

Thx again,

Mircea

⁣Sent from my phone