Imperva Cyber Community

Our SOC team has raised an issue that they need to see raw and parsed query message when we are forwarding logs to syslog, i have added below message format under syslog configuration:

Can you please confirm if this is correct cef format or can you share the correct one!

Inc.|SecureSphere|${SecureSphereVersion}|${Event.eventType}|#cefEscapeMessage(${Event.message})|${Event.severity.displayName}|suser=#cefEscapeExtension(${Event.username}) rt=#ISO8601Date(${Event.createTime}) cat=SystemEvent session=#cefEscapeExtension(${Event.sessionIdentifier}) requestIP=#cefEscapeExtension(${Event.requestIP}) cs20Label=ErrorMessage cs20=#cefEscapeExtension(${Event.errorMessage}) cs15Label=RawQuery cs15=#cefEscapeExtension(${Event.rawQuery}) cs16Label=NormalizedQuery cs16=#cefEscapeExtension(${Event.normalizedQuery})

#DatabaseActivityMonitoring

------------------------------
Mohammad Musaib Rather

------------------------------

can you please confirm using cef format can we forward normalised query and raw query to syslog, i have used number to options still failing,

Our SOC team has raised an issue that they need to see raw and parsed query message when we are forwarding logs to syslog, i have added below message format under syslog configuration:

Can you please confirm if this is correct cef format or can you share the correct one!

Inc.|SecureSphere|${SecureSphereVersion}|${Event.eventType}|#cefEscapeMessage(${Event.message})|${Event.severity.displayName}|suser=#cefEscapeExtension(${Event.username}) rt=#ISO8601Date(${Event.createTime}) cat=SystemEvent session=#cefEscapeExtension(${Event.sessionIdentifier}) requestIP=#cefEscapeExtension(${Event.requestIP}) cs20Label=ErrorMessage cs20=#cefEscapeExtension(${Event.errorMessage}) cs15Label=RawQuery cs15=#cefEscapeExtension(${Event.rawQuery}) cs16Label=NormalizedQuery cs16=#cefEscapeExtension(${Event.normalizedQuery})

Our SOC team has raised an issue that they need to see raw and parsed query message when we are forwarding logs to syslog, i have added below message format under syslog configuration:

Can you please confirm if this is correct cef format or can you share the correct one!

Inc.|SecureSphere|${SecureSphereVersion}|${Event.eventType}|#cefEscapeMessage(${Event.message})|${Event.severity.displayName}|suser=#cefEscapeExtension(${Event.username}) rt=#ISO8601Date(${Event.createTime}) cat=SystemEvent session=#cefEscapeExtension(${Event.sessionIdentifier}) requestIP=#cefEscapeExtension(${Event.requestIP}) cs20Label=ErrorMessage cs20=#cefEscapeExtension(${Event.errorMessage}) cs15Label=RawQuery cs15=#cefEscapeExtension(${Event.rawQuery}) cs16Label=NormalizedQuery cs16=#cefEscapeExtension(${Event.normalizedQuery})