Just checking – as we are looking at trying to get more info feeding in to the solution and there is a Bluecoat Proxy + Cisco ASA transferring to Palo Alto.
As there is no “connector” listed for Bluecoat in Sentinel, but there is one listed in MCAS, would it make sense to simply ingest the Bluecoat into MCAS and then have MCAS alerts feed into Sentinel?
While this might not be ideal that Sentinel does not have the raw data, at least it will have the Alerts, and by aggregating the data it will reduce the storage needs in Sentinel?
Would I be correct in thinking that it’s not possible to run a single Linux Connector that can run various tasks in a PoC scenario? So for the Cisco ASA & the Palo Alto we’d likely need two separate Linux Connectors, one for each task?
You would not be able to run an MCAS log collector and a Sentinel CEF collector on the same box. they both listen on port 514. But for a poc you likely only need 1 sentinel connector to collect from ASA, bluecoat and PAN.
So maybe I haven't understood that correctly, or is it a case that I can use a single Linux Collector (in a PoC) for Sentinel and *it* can then be used to collect multiple streams (ASA, BlueCoat & Palo Alto) while it's only destined for the one Sentinel location?
If we were to try and use this for both Sentinel and MCAS this is when this breaks - we can't use a Linux Collector to stream for two different services... Is this correct?