Jul 28 2019
- last edited on
Dec 23 2021
Just checking – as we are looking at trying to get more info feeding in to the solution and there is a Bluecoat Proxy + Cisco ASA transferring to Palo Alto.
As there is no “connector” listed for Bluecoat in Sentinel, but there is one listed in MCAS, would it make sense to simply ingest the Bluecoat into MCAS and then have MCAS alerts feed into Sentinel?
While this might not be ideal that Sentinel does not have the raw data, at least it will have the Alerts, and by aggregating the data it will reduce the storage needs in Sentinel?
Would I be correct in thinking that it’s not possible to run a single Linux Connector that can run various tasks in a PoC scenario? So for the Cisco ASA & the Palo Alto we’d likely need two separate Linux Connectors, one for each task?
Jul 29 2019 11:38 AM
It is not suggested to send bluecoat to MCAS then to Sentinel. MCAS will only get the HTTP logs it needs for discovery.
You should send bluecoat logs to a sentinel CEF collector (https://support.symantec.com/us/en/article.tech242216.html) then you would have the raw syslog data in sentinel for use.
You would not be able to run an MCAS log collector and a Sentinel CEF collector on the same box. they both listen on port 514. But for a poc you likely only need 1 sentinel connector to collect from ASA, bluecoat and PAN.
Jul 29 2019 05:50 PM
So maybe I haven't understood that correctly, or is it a case that I can use a single Linux Collector (in a PoC) for Sentinel and *it* can then be used to collect multiple streams (ASA, BlueCoat & Palo Alto) while it's only destined for the one Sentinel location?
If we were to try and use this for both Sentinel and MCAS this is when this breaks - we can't use a Linux Collector to stream for two different services... Is this correct?
Nov 21 2021 09:29 PM
Just coming back on this subject - we are just looking into details on this from a Log Collector point of view for BlueCoat Proxy traffic. From your answer we're getting the impression that there is no point in bringing BC Proxy logs into MCAS - is that because it doesn't really add any value like ID's/Auth, etc?
So it's better to just bring the BC_Proxy logs straight into Sentinel only?