Imperva Cyber Community

Expand all | Collapse all

SYSLOG sending from script found massively duplicated on SIEM or Log Receiver

  • 1.  SYSLOG sending from script found massively duplicated on SIEM or Log Receiver

    Posted 01-12-2021 05:31
    Hi,

    I have a problem with the latest version of the logger downloader. Which has symptoms like SYSLOG sending from script found massively duplicated on SIEM · Issue #20 · imperva/incapsula-logs-downloader

    My test result.
    Configuration Settings.config

    Incapsula log downloader save to local directory.


    Log receiver.

    Events duplicate around 3x - 10x.

    I test on TCP and UDP have the same issue.

    PS. Python 2.7 did not find this issue.

    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Piyapong Thongrith
    i-secure co., Ltd.
    Bangkok
    ------------------------------


  • 2.  RE: SYSLOG sending from script found massively duplicated on SIEM or Log Receiver

    Posted 01-13-2021 20:50
    I have this problem too.

    ------------------------------
    Worachat Sarsa
    Exclusive Networks TH
    ------------------------------



  • 3.  RE: SYSLOG sending from script found massively duplicated on SIEM or Log Receiver

    Posted 01-14-2021 07:14
    Me too , and so does many people who complained about the same thing in the GitHub page.
    In TCP the sending is 10 times per event , in UDP it can be 100 times or more.

    I believe the root cause is a logical error in how the Python script is written, as described here -

    https://stackoverflow.com/questions/30740251/python-logging-module-handlers-sysloghandler-sending-multiple-lines-instea

    But I didn't manage to fix it.
    If anyone is a good Python scripter, some help would be nice.


    ------------------------------
    Roee Sharon
    RSECURE
    ------------------------------



  • 4.  RE: SYSLOG sending from script found massively duplicated on SIEM or Log Receiver

    Posted 01-14-2021 21:23
    I know the point of the problem and currently testing, I will update next week

    ------------------------------
    Piyapong Thongrith
    i-secure co., Ltd.
    Bangkok
    ------------------------------



  • 5.  RE: SYSLOG sending from script found massively duplicated on SIEM or Log Receiver

    Posted 01-17-2021 21:58
    I've submit PR #23 please update and validate

    master: https://github.com/imperva/incapsula-logs-downloader

    ------------------------------
    Piyapong Thongrith
    i-secure co., Ltd.
    Bangkok
    ------------------------------