![]() Many thanks for all your advice so far Dameon! So does the connection need to be always available between the OPSEC device and the management server for OPSEC/LEA to pull down the cert and establish trust or does it just need that initial connection to pull the cert and then it'll only need to pull from the log sever and not the management server anymore (until the certificate expires for example?) If I can totally rule out OPSEC/LEA ever working in our current setup then there will be no choice but to use syslog, just trying to weigh up what my options will be for the most stable solution for the forseeable future whilst we are doing testing/POC tasks. If an update/upgrade to any of the CP products 'breaks' the sylog ingesting/parsing and we have a potential loss in near real time security monitoring data as the CP syslog ingesting is still in development stage by both parties thats a potential risk I'd rather not take until both sides formally support the syslog option as the preferred way forward. Further down the line that'll almost certainly end up being syslog but I'd rather if possible in our current situation have the most rich, usable data format thats formally supported by both of our security product vendors. Just trying to get the most rich granular useful data from the two products as possible at present with the option that is formally supported by both vendors. Their syslog ingesting of CP data is still developmental. Its Dell Secureworks, I know the future lies in Syslog with CP products, its just the SIEM supported method of ingesting and correlating CP data is only currently via OPSEC/LEA and integrates far better than the syslog option as it currently stands. Just wondered if there is a way to use OPSEC/LEA at all in this scenario or whether we have to live with the PITA syslog option thats not idea for us? Syslog doesnt work especially well with our SIEM as needs some major parsing to account for the originating sources devices being different from the server our SIEM receives syslogs for (ie the logging server)ĭoes anyone know if OPSEC/LEA is possible in this setup? Our SIEM providers say that this is the standard way most of their other clients retrieve logs form CP products. our CP support engineer told us that because it is only configured as a logging server with no management blade we wont be able to use OPSEC/LEA to pull logs from it and that syslog is the only option. We can access 18184 ok via the SIEM and telnet but we get no response from either on port 18120. Trouble is the SIEM is complaining that it cant connect on 18120 to get the cert. We can create the connection and SIC generated and activated. Trying to set up an OPSEC/LEA connection for our SIEM to pull down from the Logging Server. Its receiving logs from several CP firewalls into a management server (which we don't have access to) and then these logs get forwarded to the above Smart-1 Logging server which we do have access to. So we have access to a SMART-1 Log Server with R80.10 and it is configured only as a logging server, no management server or other blades.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |