topic Re: eNcore eStreamer 3.6.1 fieldalias not being applied in All Apps and Add-ons

eNcore eStreamer 3.6.1 fieldalias not being applied

bmorgenthaler — Fri, 11 Oct 2019 20:00:09 GMT

Deploying eNcore eStreamer 3.6.1 I have found that the field alias for intrusion signatures is not being applied in my searches:

./splunk cmd btool props list cisco:estreamer:data | grep ALIAS
...
FIELDALIAS-estreamer_intrusion_signature = msg AS signature
FIELDALIAS-estreamer_severity = priority AS severity
FIELDALIAS-estreamer_src = src_ip AS src

Attached is a screenshot for one event, you can see that src and severity are there, but there is no signature. Without the fieldalias, anything in the Intrusion Data Model has unknown for the signature of the attack in it.

Re: eNcore eStreamer 3.6.1 fieldalias not being applied

douglashurd — Mon, 14 Oct 2019 17:54:57 GMT

3.6.1 has a bug that we discovered on 10/11. We changed default download to 3.5.8. There will be a 3.6.x posted in a few days that will fix the issue.

Re: eNcore eStreamer 3.6.1 fieldalias not being applied

bmorgenthaler — Mon, 14 Oct 2019 18:08:02 GMT

@douglashurd Does the 3.6.x fixed version also include the missing eventtypes and tags that I mentioned in this question?

Re: eNcore eStreamer 3.6.1 fieldalias not being applied

douglashurd — Fri, 15 Nov 2019 23:05:52 GMT

we've more recently pushed 3.6.8 with more bug fixes.

Re: eNcore eStreamer 3.6.1 fieldalias not being applied

chawagon03_sti — Thu, 21 Nov 2019 01:36:22 GMT

This doesn't have seem to fix the field aliases.. I'm having the EXACT same problem, only seems to be having issues with signature for intrusion detection data model.

Splunk version: 7.2.6

Re: eNcore eStreamer 3.6.1 fieldalias not being applied

chawagon03_sti — Thu, 21 Nov 2019 02:04:24 GMT

Actually I believe I have fixed the issue I'm having (signature aliases for both malware and intrusion detection data models).

I've removed the FIELDALIASES that try and create the fields required, and replace it with my own in local directory...

props.conf

[cisco:estreamer:data]
EVAL-signature = coalesce(msg,detection)

Re: eNcore eStreamer 3.6.1 fieldalias not being applied

douglashurd — Sat, 23 Nov 2019 00:13:07 GMT

Thanks for the update. I'll review with our developer.

Re: eNcore eStreamer 3.6.1 fieldalias not being applied

drivascordero — Mon, 26 Apr 2021 15:30:22 GMT

I got the same issue but with eStreamer 4.2 and 4.0. If you are using Splunk 7.2 or later, there is a limitation you can't use two field aliases for the same field. Take a look into signature aliase:

cisco:estreamer:data : FIELDALIAS-estreamer_intrusion_signature

cisco:estreamer:data : FIELDALIAS-estreamer_malware_signature

You need to remove the overwrite on both Field Aliases.

Regards,