07-Jun-2020 00:39
HI
The siem wants apm logs in a single line with few fields.
I used the custom logging agent to log these session variables as of now, is there any better way to do this and also can using the custom logging agent cause huge cpu or resource spikes on the device?
USER %{session.logon.last.username} USER-AGENT: %{session.user.agent} CLIENT-IP: %{session.user.clientip} login-result: %{session.logon.last.result} URI-ACCESS: %{session.policy.result.start_uri} LOGGED_IN_TO_OWA
OUTPUT:
Logging Agent: USER bob USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 CLIENT-IP: 172.22.70.81 LOGGED_IN_TO_OWA