CASB SIEM Agent is not processing data

book

Article ID: 172554

calendar_today

Updated On:

Products

CASB Security Standard CASB Security Premium CASB Security Advanced CASB Audit CASB Gateway CASB Gateway Advanced

Issue/Introduction

  • The CASB SIEM agent, which is used to push CloudSOC data to a SIEM server by utilizing  a syslog server, is not working.
  • This guide is designed to give several troubleshooting options to narrow down the issue.

Resolution

Get Debug logs for the SIEM agent by running the script with a -d

The log file is found in /var/log/_client.log. The variable would be qradar, arcsight, or splunk.

python _agent.py -d

Look for the number of files that are written to syslog, errors etc.

If nothing is processed, check and clear the agent status files. 

In the SIEM agent directory check for export_log.lock and last_job.status. Clear the files by starting the agent with a -c

python _agent.py -c

Look at what the syslog server processes.

tail -f /var/log/messages

tail -f /var/log/syslog

Check what data the syslog server sends to the SIEM server by packet capture.

tcpdump dst (IP of SIEM server) and 514 -nnvvXS

Netcat can be used in troubleshooting to listen on an interface and write the data to a file.

Example:

On another Linux run netcat and pipe to a file: ncat  -l -p 8000 --udp -o /tmp/cloudsoc.log

On the SIEM agent computer: ./_agent.py -t :8000

Alternative:

Run the agent with the FILE output option

python _agent.py -o FILE -f

Powered by Wolken Software