Hi,
I have forwarded log from SentinelOne device via syslog message. The problem is, the Event Source naming display incorrectly then it should be. It produces multiple Event Source based on date of log received from SentinelOne devices. It looks like CEF format not the actual syslog format.
I need a Collector for SentinelOne devices because the existing Collector provided by Netiq is not compatible with SentinelOne devices. It produced duplicates Event Source for the incoming log inside Universal Common Event Format Collector. If you can provide us the right Collector for SentinelOne, it will be a big help. I'm using Sentinel 8.2.3.0.5521.
The Sample Log look like this:
<14>2020-01-31 01:38:30,524 sentinel - CEF:0|SentinelOne|Mgmt|Windows 10|48|Machine XXXXXXXX recommissioned|1|duid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX cat=XXXXXXEvent rt=#arcsightDate(Fri, 31 Jan 2020, 01:38:21 UTC) activityID=XXXXXXXXXXXXXXXXXX activityType=48 accountId=XXXXXXXXXXXXXXXXXX accountName=XXX XXXXXXX XXX XXX notificationScope=XXXX
Hope Microfocus team can help. Thanks.
by: Muhamad Basyir M. | over a year ago | Supported Platforms
Comments
Any updates?