Hi,
We are indexing eStreamer logs from sourcefire and have the app, "eStreamer for Splunk" (2.2.1) and add-on, "Splunk Add-on for Cisco FireSIGHT" ( 3.3.2) installed on both Indexer and the Search-heads.
But when searching for sourcetype=eStreamer, I do not see any tags getting added to the events. no eventtypes either. As per the Add-on documentation, IDS events should be tagged as "ids" & "attack".
Also, the following query against the Data model does not return any results.
| datamodel Intrusion_Detection IDS_Attacks search | search sourcetype="eStreamer"
I do see that few fields are correct as per CIM, e.g. ides_type, but not all.
e.g. data still returns with dest_ip instead of dest. This is despite the following fieldalias object being present.
Are we missing any additional setting/configuration or Am i searching the datamodel in a wrong way?
Any help would be appreciated.
Many Thanks,
~ Abhi
(* /var/log/messages ) eStreamer
Check to see of eStreamer is found on your logs related to the application.
From New Search>
I believe to have found the problem.
It appears that both tags and eventtypes are working as expected, but the ones which came with the eStreamer app have permissions set to the app(eStreamer) only. This must be the reason why neither "search & reporting" nor "Enterprise Security" apps could search the eStreamer data against the data model.
Also, some of the field aliases required by the model are only in eStreamer app and not in the add-on(permissions for objects within the addon are global, but do not help towards the data model)
I can try changing the permissions for these objects under "eStreamer" app from App only to Global and that should allow other apps like ES to make use of these tags/eventtypes, but not sure if that is the suggested way to resolve this issue.
Any suggestions?
