QRadar and CEF logs

Hello, I have created a log source using Universal CEF syslog but the events are not being injecsed by that log source and, instead, are being seen as an unknown log source. I used the IP address of the server sending the alerts but should I be using “phishme-triage Triage” as the identifier instead based on this event? Sorry if this is a dumb question but the various sources seem to not adhere to a standard. Appreciate any help!!

Jun 26 12:45:24 phishme-triage Triage: I, [2017-06-26T12:45:24.607021 #91131] INFO — : CEF:0|PhishMe|Triage|2.0|3|Rule Match|2|start=JUN 26 2017 11:04:38 rt=JUN 26 2017 12:45:24 deviceCustomDate1=JUN 26 2017 12:45:23 deviceCustomDate1Label=Time Message Reported duser=user@ourcompany.com suser=mss@othercompany.com cn2=0 cn2Label=VIP Reporter List Match cs2=CX_JavaMail_SPAM cs2Label=Highest Priority Rule Matched – Rule Name cs3=https://triage.ourcompany.com/reports/64 cs3Label=Report URL cs4=Alert Notification – Account Lockout cs4Label=Subject


Leave a Reply