Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
1
Replies

Cloud Esa: Consolidated Event Logs --> via syslog push --> QRADAR

leonora-milisa
Level 1
Level 1

‎08-07-2024 01:48 AM

We are currently facing challenges in configuring the transmission of consolidated event logs to QRadar using syslog push. Despite entering the correct details for the syslog push, we continually encounter errors.

Here is a summary of our current setup and issues:

  • We have a cloud ESA.
  • For the syslog push configuration, we specifed correct port that we will use, correct hostname,
    Maximum Message Size: Bytes
    Facility:
    TLS:  
    .
  • Despite these configurations, we receive errors and are unable to successfully push the logs.

Could you please provide us with guidance on the following points:

  1. What could be the reason for the syslog push configuration failing despite using the correct parameters?
  2. Are there any specific settings or configurations required to ensure syslog push works correctly for sending consolidated event logs to QRadar?
Labels:
0 Helpful
1 Reply 1

Ken Stieers
VIP
VIP

‎08-07-2024 08:30 AM

So, I'm not totally up on all the limitations that are imposed on CES, but I'm going to bet the issue is that the port you're using isn't allowed outbound from the cloud instance firewalls.

514/UDP might be open, as that's the standard syslog port.
If that's the case you could PAT 514 coming in to your firewall to whatever port QRadar is listening on...

They do offer a site-to-site VPN option for this sort of traffic. https://docs.ces.cisco.com/docs/site-to-site-vpn

0 Helpful
Customers Also Viewed These Support Documents