All Apps and Add-ons

Are bytes_in & bytes_out inverted in eStreamer Add-on?


@douglashurdI had eStreamer Add-on v5.1.3 installed and believe the bytes-in/bytes-out and packets-in/packets-out are inverted.

From cisco:firepower:syslog

raw event - SrcIP: [Internet-IP], DstIP: [Firewall-IP], InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 54, ResponderBytes: 0

parsed fields - src_ip = [Internet-IP], dest_ip = [Firewall-IP], packets_received = 0, bytes_out = 54,

From cisco:estreamer:data

raw event - src_ip= [Internet-IP], dest_ip= [Firewall-IP], src_pkts=1, dst_pkts=0, src_bytes=54, dest_bytes=0

parsed fields - src_ip = [Internet-IP], dest_ip = [Firewall-IP], packets_in=1 , packets_out=0, bytes_in=54, bytes_out=0

As you can see in the parsed events, that the syslog event indicates 54 bytes sent outbound, while the eStreamer logs indicates the bytes are inbound.

I believe the the raw logs in both cases indicate that the bytes were sent outbound, so I think the cisco:estreamer:data parser may be incorrect here.


Gord T.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...