Partial Log Payload Issue


Partial Log Payload Issue

Timur

We are testing LogbinderEX now. I've noticed that majority of logs payloads coming to SIEM are partial (not full),
For example, payload ends like that:
<46>Jan 23 18:26:07 (some info) CmdletParameters/Parameter/Name\= [Name]; CmdletPara
<46>Jan 23 04:04:32 (some info) CmdletParameters/Parameter/Name\= [Name]; Cmdlet
<46>Jan 19 16:28:19 (some info) auditsource=General Mailbox Audit    support
<46>Jan 19 20:08:33 (some info) CmdletParameters/Parameter/Name\= [EndTime]; CmdletParameters/Parameter/Value\= [03/02/20

Is there any limitations in symbols count? What is the root cause of this problem?
Tamas Lengyel

Timur - 1/24/2018
We are testing LogbinderEX now. I've noticed that majority of logs payloads coming to SIEM are partial (not full),
For example, payload ends like that:
<46>Jan 23 18:26:07 (some info) CmdletParameters/Parameter/Name\= [Name]; CmdletPara
<46>Jan 23 04:04:32 (some info) CmdletParameters/Parameter/Name\= [Name]; Cmdlet
<46>Jan 19 16:28:19 (some info) auditsource=General Mailbox Audit    support
<46>Jan 19 20:08:33 (some info) CmdletParameters/Parameter/Name\= [EndTime]; CmdletParameters/Parameter/Value\= [03/02/20

Is there any limitations in symbols count? What is the root cause of this problem?

How do you output the logs from LOGbinder? If you output to a Syslog server, there will be limitations to the UDP packet size.

One way to overcome this limitation would be to output to Syslog (File) format. Your SIEM will be able to read from the file the same way as from a Syslog server, but without the limitations of UDP.

Timur

Tamas Lengyel - 1/24/2018
Timur - 1/24/2018
We are testing LogbinderEX now. I've noticed that majority of logs payloads coming to SIEM are partial (not full),
For example, payload ends like that:
<46>Jan 23 18:26:07 (some info) CmdletParameters/Parameter/Name\= [Name]; CmdletPara
<46>Jan 23 04:04:32 (some info) CmdletParameters/Parameter/Name\= [Name]; Cmdlet
<46>Jan 19 16:28:19 (some info) auditsource=General Mailbox Audit    support
<46>Jan 19 20:08:33 (some info) CmdletParameters/Parameter/Name\= [EndTime]; CmdletParameters/Parameter/Value\= [03/02/20

Is there any limitations in symbols count? What is the root cause of this problem?

How do you output the logs from LOGbinder? If you output to a Syslog server, there will be limitations to the UDP packet size.

One way to overcome this limitation would be to output to Syslog (File) format. Your SIEM will be able to read from the file the same way as from a Syslog server, but without the limitations of UDP.

We send logs directly to SIEM via Syslog LEEF. If the UDP limition is well known so what is the purpose of Syslog LEEF or CEF output formats? Anyway it will send a lot of incomplete logs.

Is there any manual how to send Syslog (File) format to Qradar? IBM writes only about Syslog Generic and Syslog LEEF.

Also
bjvista

Most Qradar customers are using Syslog LEEF Via UDP as the output. Some others use the Syslog LEEF file output. UDP and TCP both have their own advantages and disadvantages. Just the other day on a call a customer was saying who would want to use TCP over UDP. So each to his own I guess.

Regarding the CEF and LEEF formats, CEF was required when we integrated with Arcsight ESM in order for us to get CEF certified by Arcsight for use with their SIEM. IBM asked us to add LEEF as an output for Qradar when we integrated with them. Hence the various outputs.

I’m not a Qradar expert but here is what a couple of customers have done to get the flat file LEEF data in to Qradar using Wincollect:

——
The best way we’ve figured out is to dump LogBinder output to file (LEEF) and transfer information via WinCollect FileForwarder log source (Wincollect should be configured to use TCP destination)
In next step you should change the value called “Max TCP Syslog Payload Length” on QRadar. LogBinder audit events may be huge, so it’s wise to set it to 8192 (default varies from 2048 to 4096)
That value is seen in www interface (version 7.2.6 and higher) or in /opt/qradar/conf/templates/configservice/pluggablesources/TCPSyslog.vm file in 4096 section. Value change requires full deploy.
——

GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search