1 Reply Latest reply on Dec 22, 2016 4:50 AM by andy777

    Raw Syslog View

    campbcr

      Hello, I'm running ESM 9.6.0 MR 7.  I have a network engineer who would like a view created that shows a list of the raw syslog messages...similar to what you see when you view the Packet tab of an event that came in via syslog.  However, I don't see a field that holds that raw syslog string.  Is it possible to build such a view?

        • 1. Re: Raw Syslog View
          andy777

          The ESM (or any SIEM) operates by "aggregating" common events. Reoccurring events between the same source/destination are grouped together Logs are split into well known fields and inserted into the database accordingly. Here is something I wrote up if you're interested in additional detail: SIEM Event Aggregation

           

          It's also common place to have the raw logs sent to a log manager (ELM if it's McAfee) for full text search and to meet the requirement to "retain original, unmodified, non-repudiated logs for x amount of time" common in government, financial and organizations that handle PII.

           

          F5-ELM.PNG

           

          The SIEM provides automated analysis of logs with the capability to easily drill down to disparate details with minimal effort. This is great for security folks trying to find the needle in the haystack but sometimes a network engineer troubleshooting is going to be looking for info not in the logs (show int) or need instant feedback so it's more appropriate for them just to log in to complete the task.

           

          The SIEM is great for highlighting misconfigurations and errors that are logged so it is recommended to set up alarms for the network folks to kick off their workflow when something is detected also.

          1 of 1 people found this helpful