Home

Linux Connectors - MCAS & Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-776797%22%20slang%3D%22en-US%22%3ELinux%20Connectors%20-%20MCAS%20%26amp%3B%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-776797%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20checking%20%E2%80%93%20as%20we%20are%20looking%20at%20trying%20to%20get%20more%20info%20feeding%20in%20to%20the%20solution%20and%20there%20is%20a%20Bluecoat%20Proxy%20%2B%20Cisco%20ASA%20transferring%20to%20Palo%20Alto.%3C%2FP%3E%3CP%3EAs%20there%20is%20no%20%E2%80%9Cconnector%E2%80%9D%20listed%20for%20Bluecoat%20in%20Sentinel%2C%20but%20there%20is%20one%20listed%20in%20MCAS%2C%20would%20it%20make%20sense%20to%20simply%20ingest%20the%20Bluecoat%20into%20MCAS%20and%20then%20have%20MCAS%20alerts%20feed%20into%20Sentinel%3F%3C%2FP%3E%3CP%3EWhile%20this%20might%20not%20be%20ideal%20that%20Sentinel%20does%20not%20have%20the%20raw%20data%2C%20at%20least%20it%20will%20have%20the%20Alerts%2C%20and%20by%20aggregating%20the%20data%20it%20will%20reduce%20the%20storage%20needs%20in%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20I%20be%20correct%20in%20thinking%20that%20it%E2%80%99s%20not%20possible%20to%20run%20a%20single%20Linux%20Connector%20that%20can%20run%20various%20tasks%20in%20a%20PoC%20scenario%3F%26nbsp%3BSo%20for%20the%20Cisco%20ASA%20%26amp%3B%20the%20Palo%20Alto%20we%E2%80%99d%20likely%20need%20two%20separate%20Linux%20Connectors%2C%20one%20for%20each%20task%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-776797%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMCAS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-777907%22%20slang%3D%22en-US%22%3ERe%3A%20Linux%20Connectors%20-%20MCAS%20%26amp%3B%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-777907%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20David%3C%2FP%3E%0A%3CP%3EIt%20is%20not%20suggested%20to%20send%20bluecoat%20to%20MCAS%20then%20to%20Sentinel.%26nbsp%3B%20MCAS%20will%20only%20get%20the%20HTTP%20logs%20it%20needs%20for%20discovery.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20should%20send%20bluecoat%20logs%20to%20a%20sentinel%20CEF%20collector%20(%3CA%20href%3D%22https%3A%2F%2Fsupport.symantec.com%2Fus%2Fen%2Farticle.tech242216.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.symantec.com%2Fus%2Fen%2Farticle.tech242216.html%3C%2FA%3E)%20then%20you%20would%20have%20the%20raw%20syslog%20data%20in%20sentinel%20for%20use.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20would%20not%20be%20able%20to%20run%20an%20MCAS%20log%20collector%20and%20a%20Sentinel%20CEF%20collector%20on%20the%20same%20box.%26nbsp%3B%20they%20both%20listen%20on%20port%20514.%26nbsp%3B%20But%20for%20a%20poc%20you%20likely%20only%20need%201%20sentinel%20connector%20to%20collect%20from%20ASA%2C%20bluecoat%20and%20PAN.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-778338%22%20slang%3D%22en-US%22%3ERe%3A%20Linux%20Connectors%20-%20MCAS%20%26amp%3B%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-778338%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Nicholas%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20maybe%20I%20haven't%20understood%20that%20correctly%2C%20or%20is%20it%20a%20case%20that%20I%20can%20use%20a%20single%26nbsp%3B%20Linux%20Collector%20(in%20a%20PoC)%20for%20Sentinel%20and%20*it*%20can%20then%20be%20used%20to%20collect%20multiple%20streams%20(ASA%2C%20BlueCoat%20%26amp%3B%20Palo%20Alto)%20while%20it's%20only%20destined%20for%20the%20one%20Sentinel%20location%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20were%20to%20try%20and%20use%20this%20for%20both%20Sentinel%20and%20MCAS%20this%20is%20when%20this%20breaks%20-%20we%20can't%20use%20a%20Linux%20Collector%20to%20stream%20for%20two%20different%20services...%20Is%20this%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Just checking – as we are looking at trying to get more info feeding in to the solution and there is a Bluecoat Proxy + Cisco ASA transferring to Palo Alto.

As there is no “connector” listed for Bluecoat in Sentinel, but there is one listed in MCAS, would it make sense to simply ingest the Bluecoat into MCAS and then have MCAS alerts feed into Sentinel?

While this might not be ideal that Sentinel does not have the raw data, at least it will have the Alerts, and by aggregating the data it will reduce the storage needs in Sentinel?

 

Would I be correct in thinking that it’s not possible to run a single Linux Connector that can run various tasks in a PoC scenario? So for the Cisco ASA & the Palo Alto we’d likely need two separate Linux Connectors, one for each task?

2 Replies

@David Caddick 

Hi David

It is not suggested to send bluecoat to MCAS then to Sentinel.  MCAS will only get the HTTP logs it needs for discovery.  

 

You should send bluecoat logs to a sentinel CEF collector (https://support.symantec.com/us/en/article.tech242216.html) then you would have the raw syslog data in sentinel for use.

 

You would not be able to run an MCAS log collector and a Sentinel CEF collector on the same box.  they both listen on port 514.  But for a poc you likely only need 1 sentinel connector to collect from ASA, bluecoat and PAN.

Thanks Nicholas 

 

So maybe I haven't understood that correctly, or is it a case that I can use a single  Linux Collector (in a PoC) for Sentinel and *it* can then be used to collect multiple streams (ASA, BlueCoat & Palo Alto) while it's only destined for the one Sentinel location?

 

If we were to try and use this for both Sentinel and MCAS this is when this breaks - we can't use a Linux Collector to stream for two different services... Is this correct?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies