Logging in IBM LEEF format issue

rakesh_kumar · ‎03-09-2020

Hi Everyone,

We have configured our Fortiweb to send logs to QRadar SIEM.

For that we have used this "log siem-policy", which is pretty straight forward.

But when it reaches to SIEM, its not parsing. Further investigation and IBM acknowledged that, every attribute of the log should be separated by the "tab", but currently fortiweb is sending the logs separated with "space".

My main concern is, if there is a option to select 'IBM LEEF' in logging, then it should match what IBM is expecting.

Why we are seeing a discrepancy here.

Anyone who have gone thru this, please revert.

SS attached

Regards,

Rakesh

abelio · ‎03-09-2020

Hi,

every qualified siem (as qradar is) has the capabilities to parse logs from different sources and formats.

'tab' or 'space' separators are very common, so it should be solve adjusting parser in the Qradar site.

regards

/ Abel

rakesh_kumar · ‎03-09-2020

Hi Abelio, Thanks for the response. Actually we are using the same setting "Log Policy > SIEM Policy" and using IBM LEEF as 'set type'. When we asked IBM about logs not getting parsed under Universal Leef, they are saying this should only be separated by tab. Space not supported Regards Rakesh

emnoc · ‎03-09-2020

CEF is a commonly supported format and the fortiweb like fortigates support CEF. Qradar should also.Just my 2cts

Getting away from tab and csv is better and using a standard format is wise. BTW, You can grab a pcap of the export-logs and validate the format that's being sent.

Ken Felix

PCNSE

NSE

StrongSwan

Logging in IBM LEEF format issue

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website