The CASB SIEM agent, which is used to push CloudSOC data to a SIEM server by utilizing a syslog server, is not working.
This guide is designed to give several troubleshooting options to narrow down the issue.
The log file is found in /var/log/_client.log. The variable would be qradar, arcsight, or splunk.
python _agent.py -d
Look for the number of files that are written to syslog, errors etc.
In the SIEM agent directory check for export_log.lock and last_job.status. Clear the files by starting the agent with a -c
python _agent.py -c
tail -f /var/log/messages
tail -f /var/log/syslog
tcpdump dst (IP of SIEM server) and 514 -nnvvXS
Example:
On another Linux run netcat and pipe to a file: ncat -l -p 8000 --udp -o /tmp/cloudsoc.log
On the SIEM agent computer: ./_agent.py -t :8000
Alternative:
Run the agent with the FILE output option
python _agent.py -o FILE -f