IBM Security QRadar

 View Only
  • 1.  Cisco CyberVision

    Posted Thu November 05, 2020 02:52 PM
    syslog tcp/514 "standard/cef" received from Cisco Sentryo Cybervision
    showing as Unknown Log Event

    <158>Nov  5 17:38:54 rsyslogd cybervision[2]: CEF:0|sentryo|cybervision|1.0|offline_data_upload|Offline data file uploaded to Cisco Cyber Vision|0|cat=Cisco Cyber Vision Operations msg=An offline data file named 'Pcap_1c_Mode_Monitor_3.1offline-data.zip' was uploaded to Cyber Vision (status: OK).

    I'm assuming my LogSourceIdentifier is incorrect? I used the SRC IPaddr.
    Yes, I have installed the Sentryo Cybervision App. QR CE 7.3.3

    ------------------------------
    Daniel Ralph
    ------------------------------


  • 2.  RE: Cisco CyberVision

    Posted Fri November 06, 2020 03:30 AM
    I believe so... based on CEF structure, the identifier should be in the space between the time and CEF mark.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: Cisco CyberVision

    Posted Mon November 09, 2020 09:38 AM
    Hi Daniel,

    Because that event has a syslog header compliant with RFC3164, we will parse out rsyslogd from the header (as it's in the location where an IP address or hostname should be provided) and use that to route the event to a log source. So the Log Source Identifier needs to be rsyslogd

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 4.  RE: Cisco CyberVision

    Posted Wed April 28, 2021 10:01 AM
    Hi Daniel,

    Please switch in Cyber Vision syslog format to RFC3154 CEF format. 
    The standard is not the right option for Q-Radar.


    ------------------------------
    Fayce Daira
    ------------------------------