Hello,
Does anyone use Qradar SIEM in push mode (not the pull mode with the Python script) from the Cloud WAF?
Our issue is that the logs are compressed by the Cloud WAF with "ZLIB", while Qradar is not able to decompress ZLIB.
Imperva's documentation suggest to decompress with the following script -
csplit -sz 123_345.log -f 123_345.log. /\|\=\=\|/
sed -i '/|==|/d' 123_345.log.01
cat 123_345.log.00 > 123_345.log.decompressed
zlib-flate -uncompress < 123_345.log.01 >> 123_345.log.decompressed
rm 123_345.log.0*
However we were wondering if anyone has a more native way to do this decompression by the QRADAR itself
(Not having to go through an additional script/server).
Thanks,
Roee
#CloudWAF(formerlyIncapsula)------------------------------
Roee Sharon
RSECURE
------------------------------