CASB SIEM Agent is not processing data
search cancel

CASB SIEM Agent is not processing data


Article ID: 172554


Updated On:


CASB Security Standard CASB Security Premium CASB Security Advanced CASB Audit CASB Gateway CASB Gateway Advanced


The CASB SIEM agent, which is used to push CloudSOC data to a SIEM server by utilizing  a syslog server, is not working.

This guide is designed to give several troubleshooting options to narrow down the issue.  


Get Debug logs for the SIEM agent by running the script with a -d

The log file is found in /var/log/_client.log. The variable would be qradar, arcsight, or splunk.

python -d

Look for the number of files that are written to syslog, errors etc.

If nothing is processed, check and clear the agent status files. 

In the SIEM agent directory check for export_log.lock and last_job.status. Clear the files by starting the agent with a -c

python -c

Look at what the syslog server processes.

tail -f /var/log/messages

tail -f /var/log/syslog

Check what data the syslog server sends to the SIEM server by packet capture.

tcpdump dst (IP of SIEM server) and 514 -nnvvXS

Netcat can be used in troubleshooting to listen on an interface and write the data to a file.


On another Linux run netcat and pipe to a file: ncat  -l -p 8000 --udp -o /tmp/cloudsoc.log

On the SIEM agent computer: ./ -t :8000


Run the agent with the FILE output option

python -o FILE -f