Is it capable to send Syslog? as if it is it will be let's say easy.
It is already sending logs via syslog. I have found McAfee documentation:
SIEM Custom Parser How to create new parsing rules & troubleshoot data sources
Problem is that when I am adding New Log source to REC I cannot find syslog Data Source Vendor.
My SIEM is 9.4 clena ( no hot fixes and Service Packs)
Look for Generic as the data source vendor
Yep found it this documentations is really .....&^%$..
What is the difference between:
Support Generic syslogs options:
Parse as generic syslog
Log "Unknown syslog" event ??
For every parser, a rule set is enabled with different parser rules. When you get an event that is not parsed by the enabled rules for the data source, you have the option to either do nothing with the non parsed events (drop them), parse them as generic syslog (for every new event type a new rule will be created. Be careful as this will generate a lot of rules!) or parse them as an unknown event. In that scenario, the events show up in ESM, as "unknown event" together with other parsed events. This gives you the change to identify what events do not parse and create parsers for these events.
I always choose for Unkown Syslog and disable the aggregation for the unknown event signature ID.
I would also advise to upgrade your 9.4 SIEM to hotfix 5. There were some parsing issues in the RTW version with unknown events that are now fixed.
Yep problem was also with ESM build. Hotfix 6 has solve it. Events are coming.