Forum Discussion
Hi David
It is not suggested to send bluecoat to MCAS then to Sentinel. MCAS will only get the HTTP logs it needs for discovery.
You should send bluecoat logs to a sentinel CEF collector (https://support.symantec.com/us/en/article.tech242216.html) then you would have the raw syslog data in sentinel for use.
You would not be able to run an MCAS log collector and a Sentinel CEF collector on the same box. they both listen on port 514. But for a poc you likely only need 1 sentinel connector to collect from ASA, bluecoat and PAN.
- David CaddickJul 30, 2019Iron Contributor
Thanks Nicholas
So maybe I haven't understood that correctly, or is it a case that I can use a single Linux Collector (in a PoC) for Sentinel and *it* can then be used to collect multiple streams (ASA, BlueCoat & Palo Alto) while it's only destined for the one Sentinel location?
If we were to try and use this for both Sentinel and MCAS this is when this breaks - we can't use a Linux Collector to stream for two different services... Is this correct?
- David_CaddickNov 22, 2021Brass Contributor
Hi Nicholas,
Just coming back on this subject - we are just looking into details on this from a Log Collector point of view for BlueCoat Proxy traffic. From your answer we're getting the impression that there is no point in bringing BC Proxy logs into MCAS - is that because it doesn't really add any value like ID's/Auth, etc?
So it's better to just bring the BC_Proxy logs straight into Sentinel only?
Regards,
Dave Caddick