Hi Peter,
In this case, the log sources from my customer were forwarded to my QRadar through Forwarding Destinations with the option "Prefix a syslog header if it is missing or invalid" enabled. This option edited the syslog header for my case. Previously, all log sources were forwarded through this Forwarding Destination, but it only edited the syslog header for two log sources, while the others weren't.
My solution is to create a new Forwarding Destinations without enabling "Prefix a syslog header if it is missing or invalid" on the customer site. For the log sources where the syslog header was edited, I will choose the new Forwarding Destination in the Routing Rules.
Hope you can find the solutions.
------------------------------
Hai Dinh
------------------------------
Original Message:
Sent: Sun April 02, 2023 06:49 AM
From: Peter Maklary
Subject: Multi log sources have the same Log Source Identifier with no valid syslog header
Hi,
congats. Could you share your solution? It could help me with a problem that seems similar.
Thank you
------------------------------
Peter Maklary
Original Message:
Sent: Fri March 31, 2023 02:23 AM
From: Hai Dinh
Subject: Multi log sources have the same Log Source Identifier with no valid syslog header
I finded the solution for this.
------------------------------
Hai Dinh
Original Message:
Sent: Sat March 25, 2023 10:42 AM
From: Hai Dinh
Subject: Multi log sources have the same Log Source Identifier with no valid syslog header
Hello guys,
I have two log sources forwarding logs from Customer QRadar (behind NAT) to my QRadar. Unfortunately, the raw logs forwarded to my QRadar had "<38>Mar 25 14:16:02
" added in the header like the logs below, making it difficult to identify the log source.
<38>Mar 25 14:16:02 <29>1 2023-03-25T07:14:28.0Z MCAFEE-EPO EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>068-CLIENT-002</MachineName><AgentGUID>{97fa0f64-3563-11ec-05df-b07b250aw45r3}</AgentGUID><IPAddress>10.10.17.43</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>%CTX_DOMAIN_USER%</UserName><TimeZoneBias>-420</TimeZoneBias><RawMACAddress>b07b2508f1242</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7" ProductFamily="TVD">....
<38>Mar 24 13:49:59 <13>1 2023-03-24T13:48:20.044478+07:00 proxy-owasp-1 - - - [NXLOG@14506 EventReceivedTime="2023-03-24 13:48:20" SourceModuleName="owasp-logs" SourceModuleType="im_file"] 2023/03/24 13:48:19 [error] 70642#70642: *2155033 [client 50.202.35.150] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.10.10.10"] [uri "/blog.sql"] [unique_id "1679640499"] [ref ""], client: 50.202.35.150, server: contoso.com, request: "GET /blog.sql HTTP/1.1", host: "contoso.com:443"
The log source identifier of two log sources is the NATed IP address of the Customer QRadar, which is 172.10.20.2. Do you guy have any recommendations for creating log sources? Thank you all.
------------------------------
Regards,
Hai Dinh
------------------------------