Are bytes_in & bytes_out inverted in eStreamer Add...

All Apps and Add-ons

@douglashurdI had eStreamer Add-on v5.1.3 installed and believe the bytes-in/bytes-out and packets-in/packets-out are inverted.

From cisco:firepower:syslog

raw event - SrcIP: [Internet-IP], DstIP: [Firewall-IP], InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 54, ResponderBytes: 0

parsed fields - src_ip = [Internet-IP], dest_ip = [Firewall-IP], packets_received = 0, bytes_out = 54,

From cisco:estreamer:data

raw event - src_ip= [Internet-IP], dest_ip= [Firewall-IP], src_pkts=1, dst_pkts=0, src_bytes=54, dest_bytes=0

parsed fields - src_ip = [Internet-IP], dest_ip = [Firewall-IP], packets_in=1 , packets_out=0, bytes_in=54, bytes_out=0

As you can see in the parsed events, that the syslog event indicates 54 bytes sent outbound, while the eStreamer logs indicates the bytes are inbound.

I believe the the raw logs in both cases indicate that the bytes were sent outbound, so I think the cisco:estreamer:data parser may be incorrect here.

Thanks,

Gord T.

Get Updates on the Splunk Community!

Are bytes_in & bytes_out inverted in eStreamer Add-on?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Are bytes_in & bytes_out inverted in eStreamer Add-on?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey