topic Re: Can't Extract CEF Fields in Distributed Environment in Getting Data In

Can't Extract CEF Fields in Distributed Environment

aferone — Wed, 15 Feb 2023 13:34:23 GMT

Hello to all.

I am using the CEF Extraction TA for extracting CEF fields in a FireEye log. When I test this on a standalone system with Indexer and Search Head, the cs#Label fields extract correctly.

As soon as I put this in an environment with a Heavy Forwarder, Indexer, and Search Head distributed (or even just Indexer and Search Head)., the fields will not extract.

I am at my wit's end here.

Help? Thanks!

Re: Can't Extract CEF Fields in Distributed Environment

gcusello — Wed, 15 Feb 2023 13:36:43 GMT

Hi @aferone,

where did you install the TA?

You have to mandatory install it on HF and SH, I usually install it also on Indexers but it isn't mandatory (as the others).

Ciao.

Giuseppe

Re: Can't Extract CEF Fields in Distributed Environment

aferone — Wed, 15 Feb 2023 13:38:19 GMT

Hello Giuseppe,

Yes, it is currently installed on all 3, actually.

Thanks!

Re: Can't Extract CEF Fields in Distributed Environment

gcusello — Wed, 15 Feb 2023 13:40:29 GMT

Hi @aferone,

check the sourcetype assigned in your input and verify if it's the same requested in TA's props.conf.

Ciao.

Giuseppe

Re: Can't Extract CEF Fields in Distributed Environment

aferone — Wed, 15 Feb 2023 13:41:49 GMT

I actually copied the props and transforms stanzas from the TA and applied them to the sourcetype in which we need to extract from.

Re: Can't Extract CEF Fields in Distributed Environment

gcusello — Wed, 15 Feb 2023 13:49:02 GMT

Hi @aferone,

I suppose that you assigned the "cefevents" sourcetype to your input.

Why aren't you using the TA, only adding the inputs.conf?

Then, You said that youìre using this TA for FireEye, did you explored the dedicated TA for FireEye (https://splunkbase.splunk.com/app/1904)?

There are some restrictions:

When you should not use this TA: This Technology Add-on (TA) is not necessary for simple Splunk installations (e.g. Single Splunk install -- no forwarders or separate indexers) Instead just install the app located here: https://apps.splunk.com/app/1845 When you should use this TA: This TA supports the FireEye_v3 app. It does not contain any dashboards and should be installed on Splunk indexers while the app itself installed on the search head.

but maybe it's better for your distributed environment.

ciao.

Giuseppe

Re: Can't Extract CEF Fields in Distributed Environment

aferone — Wed, 15 Feb 2023 13:51:38 GMT

Surprisingly, the FireEye TA will extract the CEF headers but not the other cs#Label fields. This is why we are going down this road. 🙂

Re: Can't Extract CEF Fields in Distributed Environment

gcusello — Wed, 15 Feb 2023 13:56:42 GMT

Hi @aferone,

really strange!

anyway, I suppose that you assigned the "cefevents" sourcetype to your input.

Why aren't you using the TA, only adding the inputs.conf, instead taking props.conmf and transforms.conf?

Ciao.

Giuseppe

Re: Can't Extract CEF Fields in Distributed Environment

aferone — Wed, 15 Feb 2023 13:58:11 GMT

Because we don't want to assign FireEye events to a sourcetype of "cefevents". "cefevents" is too broad and doesn't mean anything.

Re: Can't Extract CEF Fields in Distributed Environment

gcusello — Wed, 15 Feb 2023 14:00:49 GMT

Hi @aferone,

Ok, correct.

I suppose that you created a new add-on with a different sourcetype and you deployed this TA to all machines.

what's the sourcetype of the events not correctly parsed?

Ciao.

Giuseppe

Re: Can't Extract CEF Fields in Distributed Environment

aferone — Wed, 15 Feb 2023 14:50:04 GMT

I'm starting to wonder if the FIreEye TA, which also has "hx_cef_syslog", is conflicting because that is also installed.