How to parse ADS generated syslog messages for SIEM?
Information
Summary: |
Parsing rules in syslog messages for SIEM generated by ADS |
Environment: |
Product: Flowmon ADS Version: Any Platform: ANy |
Question/Problem Description: |
How to create parsing rules for ADS generated syslog messages for SIEM systems? |
Steps to Reproduce: | |
Error Message: | |
Defect Number: | |
Enhancement Number: | |
Cause: |
ADS supports syslog events exports in CEF (Common Event Format), see the user guide: This is a standardized format for sending syslog messages. Therefore, if the SIEM client supports it, it should receive messages without the need to define its own parsing rules. What perspective priority in ADS corresponds to the syslog severity and CEF severity is described in the table. If the SIEM client doesn't support CEF, then it would be needed to create custom parsing rules. For that, an inspiration can be found here in the decription of the integration between Flowmon and FortiSIEM, which is a SIEM client: https://support.kemptechnologies.com/hc/en-us/articles/4405966827021-FortiSIEM-Integration-Guide For testing the parser it is adviced to use the sample messages that are available for download here: https://support.kemptechnologies.com/hc/en-us/articles/4405965962253-Flowmon-ADS-Event-Sample
|
Resolution: | |
Workaround: | |
Notes: |