I have just recently added a cisco web security appliance on my receiver but cannot seem to get the logs flowing in a manner that makes sense. Here is how I configured the data source:
I am not sure if the problem is with the Data Format or Support Generic Syslog option field.
What do you mean by "cannot seem to get the logs flowing in a manner that makes sense"?
What's the problem your having. Generally, we set all data sources to log unknown events rather than do nothing. That way, we first know that the events are coming into the SIEM, and which may not be getting parsed, then we'll proceed to write custom parsers for events we deem important enough.
Thanks for the response.
Normally with these settings on other data sources, I get some logs that are normailzed by mcafee automatically and some that are uncategorized, then I create parsing rules for those.
I have set the data source to log "unknown syslog" events and all I have been getting is the logs below, which do not make sense for me o create a parsing rule. Hence I am asking if maybe my settings are correct
Looks like you're sending debug level logging. I rarely enable that for data sources to the SIEM. It tends to be very noisy and only good when troubleshooting the actual application that is sending the logs.