So we have access to a SMART-1 Log Server with R80.10 and it is configured only as a logging server, no management server or other blades. Its receiving logs from several CP firewalls into a management server (which we don't have access to) and then these logs get forwarded to the above Smart-1 Logging server which we do have access to.
Trying to set up an OPSEC/LEA connection for our SIEM to pull down from the Logging Server. We can create the connection and SIC generated and activated. Trouble is the SIEM is complaining that it cant connect on 18120 to get the cert. We can access 18184 ok via the SIEM and telnet but we get no response from either on port 18120. our CP support engineer told us that because it is only configured as a logging server with no management blade we wont be able to use OPSEC/LEA to pull logs from it and that syslog is the only option. Syslog doesnt work especially well with our SIEM as needs some major parsing to account for the originating sources devices being different from the server our SIEM receives syslogs for (ie the logging server)
Does anyone know if OPSEC/LEA is possible in this setup? Our SIEM providers say that this is the standard way most of their other clients retrieve logs form CP products. Just wondered if there is a way to use OPSEC/LEA at all in this scenario or whether we have to live with the PITA syslog option thats not idea for us?