Jump to content

Recommended Posts

Hi.

Current, we have a problem when export log from ESMC to syslog server. In ESMC document, we know as Eset support export logs Audits. However, when we checked log from IBM qRadar, we don't see it. We wonder that audit log that Eset mentioned whether Audit log as same as picture I attached. 

Please help me clarify about this @Marcos @M.K.

 

 

audit-log.png

Link to post
Share on other sites

No, it's server's syslog messages, like this:

INFO: [karlisi] User sends gql request: qroups (192.168.0.111 #id=TASKS:id=CLIENT_TASK_DETAIL;u=48eef0ae-96d2-4bed-ad2b-b5094a07cfe2;p=2:id=TARGETS_TRIGGERS_TASK_WIZARD;tru=be984c29-a03d-4cfa-9e16-d1d713f437a9;tsu=48eef0ae-96d2-4bed-ad2b-b5094a07cfe2)

This message is one of many which corresponds to this ESMC audit log entry:

Modifying client trigger of type 'Scheduled Trigger' with description 'ASAP; Outdated, Not protected' for task 'AV update to latest'.

Edited by karlisi
Link to post
Share on other sites
  • 2 weeks later...
On 9/9/2020 at 6:40 AM, Mike_Kintaru said:

Hi.

Current, we have a problem when export log from ESMC to syslog server. In ESMC document, we know as Eset support export logs Audits. However, when we checked log from IBM qRadar, we don't see it. We wonder that audit log that Eset mentioned whether Audit log as same as picture I attached. 

Please help me clarify about this @Marcos @M.K.

 

 

audit-log.png

I had issue exporting to QRadar. After we upgraded the Security Management Center to 7.2.1266.0  Qradar could read the logs. So it was apparently a bug that got fixed in the newer Security Management Center. My settings.. Port 514, Syslog, TCP, Choose Verbosity, Export syslogs, LEEF format.

Link to post
Share on other sites
  • ESET Staff

If I recall correctly, only login&logout audit messages are actually exported, i.e. there is probably no way how to export other audit messages.

On 9/22/2020 at 8:06 PM, GregA said:

I had issue exporting to QRadar. After we upgraded the Security Management Center to 7.2.1266.0  Qradar could read the logs. So it was apparently a bug that got fixed in the newer Security Management Center. My settings.. Port 514, Syslog, TCP, Choose Verbosity, Export syslogs, LEEF format.

There has been issue in one of previous releases (probably 7.1) where wrong delimiter was used in LEEF format, which caused issues when parsing messages - this is probably why they were not visible in QRadar as they were supposed to be.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...