Need Collector Plugin for Event Source from SentinelOne product

Idea ID 2786744

Need Collector Plugin for Event Source from SentinelOne product

Hi,

I have forwarded log from SentinelOne device via syslog message. The problem is, the Event Source naming display incorrectly then it should be. It produces multiple Event Source based on date of log received from SentinelOne devices. It looks like CEF format not the actual syslog format.

I need a Collector for SentinelOne devices because the existing Collector provided by Netiq is not compatible with SentinelOne devices. It produced duplicates Event Source for the incoming log inside Universal Common Event Format Collector. If you can provide us the right Collector for SentinelOne, it will be a big help. I'm using Sentinel 8.2.3.0.5521.

The Sample Log look like this:
<14>2020-01-31 01:38:30,524   sentinel -  CEF:0|SentinelOne|Mgmt|Windows 10|48|Machine XXXXXXXX recommissioned|1|duid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX cat=XXXXXXEvent rt=#arcsightDate(Fri, 31 Jan 2020, 01:38:21 UTC) activityID=XXXXXXXXXXXXXXXXXX activityType=48 accountId=XXXXXXXXXXXXXXXXXX accountName=XXX XXXXXXX XXX XXX notificationScope=XXXX

Hope Microfocus team can help. Thanks.
1 Comment
Absent Member.
Absent Member.
Any updates?
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.