Skip main navigation (Press Enter).

Imperva Cyber Community

View Only

Back to discussions

Expand all | Collapse all

Syslog missing events

Randahl Garcia03-30-2023 16:31

Hello, We have an action set that sends events over syslog to Splunk from our MX's using CEF. I see ...

Marat Makhlin04-03-2023 04:37

It can be due to number of reasons. If you have ensured that MX has correct configuration and should ...

1. Syslog missing events

Like
Randahl Garcia
Posted 03-30-2023 16:31
Edited by Randahl Garcia 03-30-2023 17:29
Hello,

We have an action set that sends events over syslog to Splunk from our MX's using CEF. I see new messages every day in Splunk, but I am unsure why certain security audit events do not get sent to Splunk. Specifically, I noticed this when looking for "Untraceable SSL Sessions: Unsupported Cipher" that show up on the MX alerts. Under that alert I do see the correct action set was supposed to trigger and sent over syslog. These alerts have the "informative" severity on them, not sure if that matters or not. Any help would be appreciated!

Thanks!

#DatabaseActivityMonitoring
2. RE: Syslog missing events

Like
Marat Makhlin
Posted 04-03-2023 04:37
It can be due to number of reasons. If you have ensured that MX has correct configuration and should send event to Splunk, I would suggest to try and localize the problem to see whether it is due to MX, Splunk server or network. It can be done by capturing this traffic on MX interface by tcpdump utility to the pcap file and analyzing it. If you find specific syslog message in pcap file, it means the MX sends it and need to focus on Splunk server side or network. You can open case to On-Prem Support and we can do this investigation for you.

BR,
Marat Makhlin
On-Prem Support Teach Lead.

------------------------------
MaratMakhlin
------------------------------

Powered by Higher Logic

Global message icon