I have to receive logs of a windows server (windows server 2008) hosted application on SIEM. I used windows collector version 11 (latest), configured collector using generic log tail method. I given the path of directory & file name in the collector but I am unable to get any log on SIEM receiver. I tested on the collector on different server and different SIEM receiver also, but could not get any log on receiver. All firewall policies are applied, collector is in connected & running state. When I use tcpdump tool to see communication of collector and receiver I see output of only synchronization between them , no logs being sent on receiver. What may be possible cause of problem, please help.
I've found the SIEM collector utility to be extremely finicky and difficult to work with. What kind of logs are you trying to send to the receiver? Do you have a source configured on the other end to receive these logs? If you can provide some screenshots I could help further, I spent a lot of time configuring the SIEM collector application.
I've had similar issues with the 11.x version of the collector. I have a situation right now where I can get logs from the machine the collector is installed on, but as soon as I turn on encryption communications fails. Here's the debug from it when it happens:
<131> Mar 07 15:10:03 localhost SIEMCollector ERROR 0 MEFConnection::TestConnection MEFOpen failed to connect due to: A Schannel call failed (rv = 0x80090331, err = 1) <@ line #203>
<131> Mar 07 15:10:30 System SIEMCollector ERROR -1 ServiceMain ============ The Service has crashed, and is now restarting. ============
<131> Mar 07 15:10:30 localhost SIEMCollector ERROR 0 MEFConnection::TestConnection MEFOpen failed to connect due to: A Schannel call failed (rv = 0x80090331, err = 1) <@ line #203>
Is the port 8082 allowed on the firewall? Also encryption option is enabled/disabled accordingly on the data source setting as well, they would need to match on both end.
We use port 8081, and yes, there's a firewall exception in place. I am receiving logs in the SIEM from the server in question - it's when I enable SSL encryption (on both ends) that I lose communication. I would add that I currently have about 30 servers in the same DMZ using 8081 and SSL to connect to the SIEM and they're all working fine. However, they have the older version SIEM collector, not version 11.
C:\Program Files (x86)\McAfee\Windows Event Collector\debug.log to see what happens with your parsing and events.
Also make sure you disable encryption until you make it work.
On the ERC look inside /var/log/data/inline/thirdparty.logs/NUMBER/in
where NUMBER is the id of your data source which you can get by running the tq inside the command line interface