Forum Discussion

pranav's avatar
pranav
Icon for Joining the Conversation rankJoining the Conversation
2 months ago

Multiple events are getting as a single log while pulling the events from the CATO using the API

Hi Team,

We are using the cato-toolbox and using the cloud RIN, we are fetching the events from the CATO SASE.

https://github.com/catonetworks/cato-toolbox/tree/main/eventsfeed

With this help we are pulling the events from the CATO using the API and forwarding the events to the HUB Server over the specific port.

But when we are pulling it was giving multiple events as a single log.

As per our SIEM vendor, they cannot split the event log. So can you please let us know if this can be fixed from your side?

4 Replies

  • peter's avatar
    peter
    Icon for Cato Employee rankCato Employee

    Hello Pranav,

    Although the API returns events in delimited JSON, the example script outputs the events in "stacked JSON" format, which some SIEM platforms find easier to interpret. If your SIEM instead requires strict JSON then you have several options:

    • pranav's avatar
      pranav
      Icon for Joining the Conversation rankJoining the Conversation

      Hi Peter,

      Our SIEM vendor does not require strict JSON. They have first used cato toolbox and had the same issue. Can you please confirm using catocli will solve the multiple events as a single log issue?

      • peter's avatar
        peter
        Icon for Cato Employee rankCato Employee

        Hello Pranav,

        Without knowing in precise detail the capabilities of the SIEM it is difficult to confirm anything either way. catocli is definitely a good option to try.

        Regards,

        Peter

  • michaelsaw's avatar
    michaelsaw
    Icon for Cato Professional Services rankCato Professional Services

    Hi pranav,

    Just to understand a bit better, would you share an example of multiple events and the single log

    Cheers