CLick on the packet Tab and let's see what the REC is parsing.
Sorry, where is the packet tab?
Maybe you have a screen shot?
It is in your screenshot:
We may be more helpful if we see the packet (raw) data. If it is no longer in "Packet" tab, you can retrieve it from ELM through "ELM Archive" tab.
The device type you have appears to be a Fortinet Firewall. Device Type 355 is for "FortiGate UTM - Space Delimited (ASP)", I'd change the datasource type to that from Unix/Linux, so it will use the right parser rules:
by the way, thx for your replies in your weekend
That was a good point, I totally ignored the signature id
the source system isnt a firewall (as far as I know, but will double check), the source ip and the destination IP
are in the same subnet, so there should be no firewall or even a nac in place.
The source ip is the datasource itself and the destination ip is the mcafee receiver.
I already checked the packet tab (didnt know what you meant in the first place) and changed some info:
<189>date=2016-10-09 time=22:17:01 devname="name of device" devid=FGT5HD3915800356 logid=0000000013 type=traffic subtype=forward level=notice vd="looks loke a domain info" srcip=" datasource IP" srcport=50935 srcintf="VLAN100-CORE" dstip="mcafee receiver: dstport=514 dstintf="VLAN100-CORE" sessionid=215039833 proto=17 action=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="SYSLOG" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high
I am not sure about this event.
Was this event send from the datasource and what is the "deny" action?
Was this event denied or is this information about the event itself?
After a good look at the events, it seems this packet is not from the datasource, but from the fortinet firewall.
Have to talk to system engineers, why this is coming from a firewall, it looks like the firewall is blocking the events
but not sure 100% , because there shouldn't be a firewall between the devices
The screenshot and the event packet you provided are from a Fortinet firewall.
It appears that the firewall is blocking traffic from the datasource over port 514 to the receiver.
The devices may be in a segmented environment. You will need to work with your firewall engineers to have them enable data flow between the datasource and the receiver.
THx, I think you are right.
I should have read the log files completely.
Will contact the network admin about this.