Jump to content

Recommended Posts

Hi.

Current, we have a problem when export log from ESMC to syslog server. In ESMC document, we know as Eset support export logs Audits. However, when we checked log from IBM qRadar, we don't see it. We wonder that audit log that Eset mentioned whether Audit log as same as picture I attached. 

Please help me clarify about this @Marcos @M.K.

 

 

audit-log.png

Link to post
Share on other sites

No, it's server's syslog messages, like this:

INFO: [karlisi] User sends gql request: qroups (192.168.0.111 #id=TASKS:id=CLIENT_TASK_DETAIL;u=48eef0ae-96d2-4bed-ad2b-b5094a07cfe2;p=2:id=TARGETS_TRIGGERS_TASK_WIZARD;tru=be984c29-a03d-4cfa-9e16-d1d713f437a9;tsu=48eef0ae-96d2-4bed-ad2b-b5094a07cfe2)

This message is one of many which corresponds to this ESMC audit log entry:

Modifying client trigger of type 'Scheduled Trigger' with description 'ASAP; Outdated, Not protected' for task 'AV update to latest'.

Edited by karlisi
Link to post
Share on other sites
  • 2 weeks later...
On 9/9/2020 at 6:40 AM, Mike_Kintaru said:

Hi.

Current, we have a problem when export log from ESMC to syslog server. In ESMC document, we know as Eset support export logs Audits. However, when we checked log from IBM qRadar, we don't see it. We wonder that audit log that Eset mentioned whether Audit log as same as picture I attached. 

Please help me clarify about this @Marcos @M.K.

 

 

audit-log.png

I had issue exporting to QRadar. After we upgraded the Security Management Center to 7.2.1266.0  Qradar could read the logs. So it was apparently a bug that got fixed in the newer Security Management Center. My settings.. Port 514, Syslog, TCP, Choose Verbosity, Export syslogs, LEEF format.

Link to post
Share on other sites
  • ESET Staff

If I recall correctly, only login&logout audit messages are actually exported, i.e. there is probably no way how to export other audit messages.

On 9/22/2020 at 8:06 PM, GregA said:

I had issue exporting to QRadar. After we upgraded the Security Management Center to 7.2.1266.0  Qradar could read the logs. So it was apparently a bug that got fixed in the newer Security Management Center. My settings.. Port 514, Syslog, TCP, Choose Verbosity, Export syslogs, LEEF format.

There has been issue in one of previous releases (probably 7.1) where wrong delimiter was used in LEEF format, which caused issues when parsing messages - this is probably why they were not visible in QRadar as they were supposed to be.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...