Multiple events are getting as a single log while pulling the events from the CATO using the API

Question

Hi Team,We are using the cato-toolbox and using the cloud RIN, we are fetching the events from the CATO SASE.https://github.com/catonetworks/cato-toolbox/tree/main/eventsfeedWith this help we are pulling the events from the CATO using the API and forwarding the events to the HUB Server over the specific port.But when we are pulling it was giving multiple events as a single log.As per our SIEM vendor, they cannot split the event log. So can you please let us know if this can be fixed from your side?

peter · Answer

Hello Pranav,
Although the API returns events in delimited JSON, the example script outputs the events in "stacked JSON" format, which some SIEM platforms find easier to interpret. If your SIEM instead requires strict JSON then you have several options:

Modify the example script to do this.
Use a different tool, such as the catocli https://github.com/catonetworks/cato-cli
Engage Cato PS to create a custom script specific for your use case.

pranav · Answer

Hi Peter,Our SIEM vendor does not require strict JSON. They have first used cato toolbox and had the same issue. Can you please confirm using catocli will solve the multiple events as a single log issue?

peter · Answer

Hello Pranav,
Without knowing in precise detail the capabilities of the SIEM it is difficult to confirm anything either way. catocli is definitely a good option to try.
Regards,
Peter

michaelsaw · Answer

Hi pranav,
Just to understand a bit better, would you share an example of multiple events and the single log
Cheers

Forum Discussion

Multiple events are getting as a single log while pulling the events from the CATO using the API

4 Replies

Recent Discussions

DNS Forwarding When Overriding Account-Level DNS Settings

Block access to local/home network for Cato Client – force all traffic through Cato tunnel

DNS Forwarding off Private Access

SDP Users - IPV6

Degraded Sockets in High Availability