Hi
I am sending Crowdstrike Streaming data to Splunk in CEF format. Sample log pasted below
How do I get Splunk to recognize all the CEF fields from this stream?
6/25/19
6:26:31.000 PM
CEF:0|CrowdStrike|FalconHost|1.0|validateEntitlementsHmac|validateEntitlementsHmac|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=10.xx.13.xxx duser=Customer deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=354 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Jun 25 2019 18:26:31 rt=1561512391596
host = 10.xx.130.xxx source = tcp:6514 sourcetype = cef_data_stream
6/25/19
6:25:31.000 PM
CEF:0|CrowdStrike|FalconHost|1.0|validateEntitlementsHmac|validateEntitlementsHmac|1|cat=AuthActivityAuditEvent destinationTranslatedAddress=10.xx.11.190 duser=Customer deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=353 outcome=true deviceCustomDate1Label=Timestamp deviceCustomDate1=Jun 25 2019 18:25:30 rt=1561512330948
host = 10.xx.130.xxx source = tcp:6514 sourcetype = cef_data_stream
There are TA and other Apps for Crowdstrike but I wasn't able to get it working. Splunk receives the logs correctly but isn't able to parse all CEF log fields correctly
It only parses following 3?
host = 10.xx.130.xxx source = tcp:6514 sourcetype = cef_data_stream.
Thanks!
We use Crowdstrike app which works perfectly fine (sending data on Test environment). The only CEF format i have used it in the past is from CyberArk. https://docs.splunk.com/Documentation/AddOns/released/CyberArk/Setup
You can refer the above document.