AnsweredAssumed Answered

OPSEC LEA  pull from a SIEM on R80.10 Smart-1 Log Server

Question asked by Lee Cassey on Jul 17, 2018
Latest reply on Jul 27, 2018 by Anton Jordan

So we have access to a SMART-1 Log Server with R80.10 and it is configured only as a logging server, no management server or other blades.  Its receiving logs from several CP firewalls into a management server (which we don't have access to) and then these logs get forwarded to the above Smart-1 Logging server which we do have access to.

 

Trying to set up an OPSEC/LEA connection for our SIEM to pull down from the Logging Server.  We can create the connection and  SIC generated and activated.  Trouble is the SIEM is complaining that it cant connect on 18120 to get the cert.  We can access 18184 ok via the SIEM and telnet but we get no response from either on port 18120.  our CP support engineer told us that because it is only configured as a logging server with no management blade we wont be able to use OPSEC/LEA to pull logs from it and that syslog is the only option.  Syslog doesnt work especially well with our SIEM as needs some major parsing to account for the originating sources devices being different from the server our SIEM receives syslogs for (ie the logging server)

 

Does anyone know if OPSEC/LEA is possible in this setup?  Our SIEM providers say that this is the standard way most of their other clients retrieve logs form CP products.  Just wondered if there is a way to use OPSEC/LEA at all in this scenario or whether we have to live with the PITA syslog option thats not idea for us?

 

Ta

Outcomes