FireEye events coming in as pieces

raziasaduddin · ‎01-25-2013

I have FireEye alert events being forwarded to Splunk over UDP:514 syslog and they are coming in as multiple events with unique headers no matter the format (JSON or XML Extended). I would prefer XML Extended. They are not being chopped up at even byte sizes or any recognizable pattern.

Is there any way to fix this that so that the events are sent as one large continuous event?

JSON Example for alert 333333:

Jan 20 01:32:28 122.65.88.13 fenotify-333333.1.alert: { first part of data…
first part of data…
first part of data…

Jan 20 01:32:28 122.65.88.13 fenotify-333333.2.alert: rest of data …
rest of data …
}

Here is a table with the event lengths for a large set of data. Seems like most are in the 1020 range but it’s not consistent.

Length Count %
1025 1550 42.34%
1026 890 24.34%
1024 520 14.19%
1023 352 9.60%
1022 147 4.00%
(… 30 more values omitted)

I am running Splunk on Windows and would rather avoid a pre-processing script that removes the headers and combines the information. There must be some setting in FireEye or it's base CentOS.

interdaemon · ‎01-26-2013

If you install the latest version of the FireEye app and change your notification configuration from rsyslog to HTTP POST w/XML it should resolve your issue (and get you loads more data into Splunk as a side benefit):

http://splunk-base.splunk.com/apps/22354/fireeye

The notification URL you need to use is listed on the splunkbase page as well. If you follow the configuration there you should be g2g. You don't even need to use the app if you don't want to, you really just need the props.conf stuff for the field extractions/transforms.

-- Josh

FireEye events coming in as pieces

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life