topic Re: Imperva CEF not parsing header in Splunk Enterprise

Imperva CEF not parsing header

joelggoti — Thu, 18 Jun 2020 16:14:39 GMT

Hi, we have trouble seeing the data, sent by syslog in format cef, from the imperva to splunk. we have Splunk Add-on for Imperva SecureSphere WAF installed.

thanks for your quick response,

regards

Re: Imperva CEF not parsing header

richgalloway — Thu, 18 Jun 2020 16:51:06 GMT

Did you install the Imperva add-on on both the indexer(s)/HF(s) AND the search heads?

Re: Imperva CEF not parsing header

joelggoti — Thu, 18 Jun 2020 16:57:24 GMT

Thanks for answering, we have a single instance and everything is installed.

Re: Imperva CEF not parsing header

marycordova — Thu, 18 Jun 2020 17:18:52 GMT

The mangled part of the log event is the syslog header, the part that has the timestamp host/ip etc, something like the below googled sample:

<34>1 2003-10-11T22:14:15.003Z mymachine.example.com cef stuff here

I think if you take a look at your syslog configuration on Imperva and any intermediary systems supporting your syslog transport you should be able to find the issue.

- upvotes appreciated 🤓

Re: Imperva CEF not parsing header

richgalloway — Thu, 18 Jun 2020 17:30:50 GMT

Is there a setting in Imperva where the binary data in the CEF events can be removed?

Re: Imperva CEF not parsing header

joelggoti — Thu, 18 Jun 2020 18:12:26 GMT

i use this message:

CEF:0|Imperva Inc.|SecureSphere|[SecureSphere version #] |${Alert.alertType}|${Alert.alertMetadata.alertName}|${Alert.severity}|act=${Alert.immediateAction} dst=${Event.destInfo.serverIp} dpt=${Event.destInfo.serverPort} duser=${Alert.username} src=${Event.sourceInfo.sourceIp} spt=${Event.sourceInfo.sourcePort} proto=${Event.sourceInfo.ipProtocol} rt=#arcsightDate (${Alert.createTime}) cat=Alert cs1=${Rule.parent.displayName} cs1Label=Policy cs2=${Alert.serverGroupName} cs2Label=ServerGroup cs3=${Alert.serviceName} cs3Label=ServiceName cs4=${Alert.applicationName} cs4Label=ApplicationName cs5=${Alert.description} cs5Label=Description

regards

Re: Imperva CEF not parsing header

marycordova — Thu, 18 Jun 2020 18:19:05 GMT

this is the configuration in Imperva correct? webUI or something? where is it getting sent to? is this a blackbox Imperva installation or are you running on your own *nix server? the syslog that is transporting this data is somehow getting a binary version of the header instead of the raw text.

what you have there is the payload, but you need to find the syslog configuration itself and validate the implementation along every link in the chain between Imperva config to Splunk input.

Re: Imperva CEF not parsing header

joelggoti — Thu, 18 Jun 2020 18:28:15 GMT

yes, this is the message in the configuration in the imperva box.

I will search and validate the configuration in the imperva and I will notify you. Thanks a lot