Mike_Kintaru 2 Posted September 9, 2020 Share Posted September 9, 2020 Hi. Current, we have a problem when export log from ESMC to syslog server. In ESMC document, we know as Eset support export logs Audits. However, when we checked log from IBM qRadar, we don't see it. We wonder that audit log that Eset mentioned whether Audit log as same as picture I attached. Please help me clarify about this @Marcos @M.K. Link to comment Share on other sites More sharing options...
karlisi 26 Posted September 9, 2020 Share Posted September 9, 2020 (edited) No, it's server's syslog messages, like this: INFO: [karlisi] User sends gql request: qroups (192.168.0.111 #id=TASKS:id=CLIENT_TASK_DETAIL;u=48eef0ae-96d2-4bed-ad2b-b5094a07cfe2;p=2:id=TARGETS_TRIGGERS_TASK_WIZARD;tru=be984c29-a03d-4cfa-9e16-d1d713f437a9;tsu=48eef0ae-96d2-4bed-ad2b-b5094a07cfe2) This message is one of many which corresponds to this ESMC audit log entry: Modifying client trigger of type 'Scheduled Trigger' with description 'ASAP; Outdated, Not protected' for task 'AV update to latest'. Edited September 9, 2020 by karlisi Mike_Kintaru 1 Link to comment Share on other sites More sharing options...
Mike_Kintaru 2 Posted September 10, 2020 Author Share Posted September 10, 2020 Any update? @Peter Randziak Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,010 Posted September 11, 2020 ESET Moderators Share Posted September 11, 2020 Hello @Mike_Kintaru, sadly I do not have any personal experience with qRadar and logging to syslog. I would advise to contact your local ESET support to have it checked. Peter Mike_Kintaru 1 Link to comment Share on other sites More sharing options...
GregA 3 Posted September 22, 2020 Share Posted September 22, 2020 On 9/9/2020 at 6:40 AM, Mike_Kintaru said: Hi. Current, we have a problem when export log from ESMC to syslog server. In ESMC document, we know as Eset support export logs Audits. However, when we checked log from IBM qRadar, we don't see it. We wonder that audit log that Eset mentioned whether Audit log as same as picture I attached. Please help me clarify about this @Marcos @M.K. I had issue exporting to QRadar. After we upgraded the Security Management Center to 7.2.1266.0 Qradar could read the logs. So it was apparently a bug that got fixed in the newer Security Management Center. My settings.. Port 514, Syslog, TCP, Choose Verbosity, Export syslogs, LEEF format. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 376 Posted September 24, 2020 ESET Staff Share Posted September 24, 2020 If I recall correctly, only login&logout audit messages are actually exported, i.e. there is probably no way how to export other audit messages. On 9/22/2020 at 8:06 PM, GregA said: I had issue exporting to QRadar. After we upgraded the Security Management Center to 7.2.1266.0 Qradar could read the logs. So it was apparently a bug that got fixed in the newer Security Management Center. My settings.. Port 514, Syslog, TCP, Choose Verbosity, Export syslogs, LEEF format. There has been issue in one of previous releases (probably 7.1) where wrong delimiter was used in LEEF format, which caused issues when parsing messages - this is probably why they were not visible in QRadar as they were supposed to be. Mike_Kintaru 1 Link to comment Share on other sites More sharing options...
Recommended Posts