This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sentinel not display all CEF data

I'm not very experienced with Sentinel, so I apologize if this is a basic question.

I have NetIQ Advanced Authentication setup to send CEF logs to Sentinel.  When I do a search on events in the Sentinel web interface and filter on the "Universal Common Event Format" I can see the events from Adv. Auth. but none of the detail.  So I'll see things like "User was successfully logged on" or "User was switched to a different method" or "Request Failed.".  But I don't see any of the other data that follows those messages.  If I use the Raw Data monitor in the Java Sentinel Control Center I can see a wealth of data in the _sBody and s_raw_message2 fields.  This data appears to be pipe delimited following the basic event message.  Why can I not see that data in the Sentinel web-based event search?  What s the trick to get that data to appear?

Thanks.

Matt

  • Suggested Answer

    0  

    AA doesn't use any of the extension keys specified in the CEF standard. That's why none of the data shows up in the proper Sentinel fields - or in any other SIEM that implements CEF.

    This will hopefully be fixed in AA 6.4.1 (OCTCR28D487022)

  • 0   in reply to   

    UGH.  Someone should tell Sentinel support!  Thanks for at least confirming it's a flaw in Adv. Auth.  I'll top wasting my time now!

    Matt