All Apps and Add-ons

FireEye Add-on for Splunk Enterprise: Why is some data from FireEye logs missing in the events indexed in Splunk?

kranthi851
New Member

Hi

We are getting FireEye logs in XML format over SYSLOG - TCP. I see some of the information is missing in the events in Splunk. Did anyone had this issue?

Event in splunk:
alt text

Actual alert;

alerts: 
  msg: extended
  product: CMS
  version: XXXXXXXXX
  appliance:XXXXXXXX
  appliance-id: XXXXXXX
  alert (id:XXXXXX, name:domain-match): 
    product: Web MPS
    appliance-id: XXXXXXX
    severity: crit
    root-infection: XXXXX
    version: XXXXX
    sensor-ip: 1XXXXX
    sensor: XXXXXX
    explanation: 
      protocol: udp
      analysis: content
      malware-detected: 
        malware (name:Trojan.APT.Mand.DNS): 
          stype: blacklist
          sid: XXXXXX
      cnc-services: 
        cnc-service: 
          protocol: udp
          port: XX
          address: ab.org
    src: 
      vlan: 4
      ip: XXXXXXX
      host: XXXXXXXX
      port: XXXXXX
      mac: XXXXXXXX
    dst: 
      mac: XXXXXXXXX
    occurred: 2016-08-03 17:45:27+00
      mode: tap
      label: A1
    interface (mode:tap, label:A1): pether3
    alert-url: XXXXXXX
    action: notified
0 Karma
1 Solution

TonyLeeVT
Builder

We figured out the issue and wanted to close the loop here. At this time, we still do not recommend sending events from the CM for a number of reasons. One of those reasons is loss of fidelity.

Please see our recommendation at the top of our details page on Splunkbase:

"Note: Send events from the LMS appliances -- not from the CM appliance"
Source: https://splunkbase.splunk.com/app/1845/#/details**

If this advice changes, we will update the details page and add CM as a category on the main analytics dashboard. I hope that helps.

View solution in original post

TonyLeeVT
Builder

We figured out the issue and wanted to close the loop here. At this time, we still do not recommend sending events from the CM for a number of reasons. One of those reasons is loss of fidelity.

Please see our recommendation at the top of our details page on Splunkbase:

"Note: Send events from the LMS appliances -- not from the CM appliance"
Source: https://splunkbase.splunk.com/app/1845/#/details**

If this advice changes, we will update the details page and add CM as a category on the main analytics dashboard. I hope that helps.

TonyLeeVT
Builder

When you say "some data from FireEye logs missing"... Are you referring to the Splunk app dashboards not displaying all of the data contained within the XML packet? Or are you referring to the fact that some data did not make it over to the Splunk app?

Can we narrow the issue down to one of the following?
Display vs. Data sent

0 Karma

kiran331
Builder

The data is not getting in to splunk

0 Karma

TonyLeeVT
Builder

Can you send me an email via Help -> Send Feedback within the Splunk app so we can troubleshoot and then post the answer back here? Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...