we test sending the proxy log forcepoint V appliance to both Splunk and Graylog.
the proxy setting.
C port for management: 10.10.5.12
P1 port for proxy service: 10.10.5.13
We confirmed with forcepoint that the SIEM log should be received on Policy server interface (C port), the log source IP should be C port ip address (10.10.5.12). On splunk, it shows the correct source ip, but graylog shows wrong source ip (P1 port ip address 10.10.5.13), can I configure it to reflect the right interface? Thanks
He @wbsn12
Graylog just show what is visible in the logs - maybe the logs do not follow commen syslog pattern (or what other format you send) and Graylog is not able to read all fields. But that is only guessing.
WIthout knowledge how you logs are structured nobody would be able to assist you direct.
It sounds like an easy task but most vendor have some kind of dialect in their syslog what creates the need to understand that.
But the good with Graylog is that you are able to normalize the received logs and extract all wanted information out of the strings.
How that is done for your log, is again a question how you log look like. Maybe someone had already done this, and published the work here on in the Marketplace. Just search a bit.
Jan
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.