All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

eNcore eStreamer 3.6.1 fieldalias not being applied

bmorgenthaler
Path Finder
‎10-11-2019 01:00 PM

Deploying eNcore eStreamer 3.6.1 I have found that the field alias for intrusion signatures is not being applied in my searches:

./splunk cmd btool props list cisco:estreamer:data | grep ALIAS
...
FIELDALIAS-estreamer_intrusion_signature = msg AS signature
FIELDALIAS-estreamer_severity = priority AS severity
FIELDALIAS-estreamer_src = src_ip AS src

Attached is a screenshot for one event, you can see that src and severity are there, but there is no signature. Without the fieldalias, anything in the Intrusion Data Model has unknown for the signature of the attack in it.
alt text

Preview file
1 KB
Reply

drivascordero
Splunk Employee
Splunk Employee
‎04-26-2021 08:30 AM

I got the same issue but with eStreamer 4.2 and 4.0. If you are using Splunk 7.2 or later, there is a limitation you can't use two field aliases for the same field. Take a look into signature aliase:

cisco:estreamer:data : FIELDALIAS-estreamer_intrusion_signature

cisco:estreamer:data : FIELDALIAS-estreamer_malware_signature

 

You need to remove the overwrite on both Field Aliases.

 

Regards,

0 Karma
Reply

douglashurd
Builder
‎11-22-2019 04:13 PM

Thanks for the update. I'll review with our developer.

0 Karma
Reply

chawagon03_sti
New Member
‎11-20-2019 06:04 PM

Actually I believe I have fixed the issue I'm having (signature aliases for both malware and intrusion detection data models).

I've removed the FIELDALIASES that try and create the fields required, and replace it with my own in local directory...

props.conf

[cisco:estreamer:data]
EVAL-signature = coalesce(msg,detection)
0 Karma
Reply

douglashurd
Builder
‎11-15-2019 03:05 PM

we've more recently pushed 3.6.8 with more bug fixes.

0 Karma
Reply

chawagon03_sti
New Member
‎11-20-2019 05:36 PM

This doesn't have seem to fix the field aliases.. I'm having the EXACT same problem, only seems to be having issues with signature for intrusion detection data model.

Splunk version: 7.2.6

0 Karma
Reply

douglashurd
Builder
‎10-14-2019 10:54 AM

3.6.1 has a bug that we discovered on 10/11. We changed default download to 3.5.8. There will be a 3.6.x posted in a few days that will fix the issue.

0 Karma
Reply

bmorgenthaler
Path Finder
‎10-14-2019 11:08 AM

@douglashurd Does the 3.6.x fixed version also include the missing eventtypes and tags that I mentioned in this question?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...