Recently i have been instructed to send logs to log server
So i used pull method i guess, and added the user to NSP DB
Granted the user select privilege
When i configured the connector (application that receive logs in SIEM) there successful connection but it dosent show up logs from NSP DB
Any experience with this issue?
Thanks, warm regards.
Is your SIEM running a query against the DB to collect the data from the iv_alert table? Does it have predefined settings for NSP
Or are you using the Syslog Notification feature to send the syslog event to your SIEM?
Yes the user makes query against DB and the Connector have predefined settings,
When the above method did not work i start to configure syslog notification from NSM unfortunately no success either.
Did you grant the new DB user select privilege to all DB tables or just specific?
If you log on to the DB and run the 'show processlist' can you see any queries being run? You may need to do this multiple times depending on how frequently the SIEM is querying the DB.
Hey Peter im sorry to drubbing you, are you available to use any real time messengers, like skype ?
Because to receive an answer to question here in community takes hours and days.
Thanks, Best regards.
You will need to run the show processlist command while the arcsight query is running to see the actual query, in your screen shot it is in sleep mode. If you run it multiple times you should get a result in the Info field
Do you know how often the query is run?
From the arcsight application can you see what data it should query?
Does the arcsight documentation state what tables the arcsight db user needs access to? You can use the show grants for <username> command to make sure it has enough rights.
You can also check the slowquery.log in the MYSQL directory on the NSM to see if it's showing up there.