Current EVENT logs from estreamer client pulls the following example record:
Tue Nov 1 23:59:59 2011 sensor_id=66 event_id=26 event_sec=1320217199 event_usec=459249 sid=13249 gen=1 rev=4 class=33 priority=1 src_addr=10.11.12.13 dst_addr=10.31.1.21 src_port=53 dst_port=51211 ip_proto=17 impact_flag=1 pad=1024
The numeric values do not provide the best information. Can you get the RULE record and show the textual message for the rule that fired (sid=13249). Also retrieve the class=33 text value and the sensor_id=66 hostname value. This would make this app more usable for us.
Thanks.
mlulmer - Thank you for your suggestions, I will add these features to the new version of the app.
I just want to let you know that I posted the new version of Splunk for Sourcefire app (v2.0), which include your feature request.
mlulmer - Thank you for your suggestions, I will add these features to the new version of the app.