All Apps and Add-ons

FireEye Add-on for Splunk Enterprise: Why is some data from FireEye logs missing in the events indexed in Splunk?

kranthi851
New Member

Hi

We are getting FireEye logs in XML format over SYSLOG - TCP. I see some of the information is missing in the events in Splunk. Did anyone had this issue?

Event in splunk:
alt text

Actual alert;

alerts: 
  msg: extended
  product: CMS
  version: XXXXXXXXX
  appliance:XXXXXXXX
  appliance-id: XXXXXXX
  alert (id:XXXXXX, name:domain-match): 
    product: Web MPS
    appliance-id: XXXXXXX
    severity: crit
    root-infection: XXXXX
    version: XXXXX
    sensor-ip: 1XXXXX
    sensor: XXXXXX
    explanation: 
      protocol: udp
      analysis: content
      malware-detected: 
        malware (name:Trojan.APT.Mand.DNS): 
          stype: blacklist
          sid: XXXXXX
      cnc-services: 
        cnc-service: 
          protocol: udp
          port: XX
          address: ab.org
    src: 
      vlan: 4
      ip: XXXXXXX
      host: XXXXXXXX
      port: XXXXXX
      mac: XXXXXXXX
    dst: 
      mac: XXXXXXXXX
    occurred: 2016-08-03 17:45:27+00
      mode: tap
      label: A1
    interface (mode:tap, label:A1): pether3
    alert-url: XXXXXXX
    action: notified
0 Karma
1 Solution

TonyLeeVT
Builder

We figured out the issue and wanted to close the loop here. At this time, we still do not recommend sending events from the CM for a number of reasons. One of those reasons is loss of fidelity.

Please see our recommendation at the top of our details page on Splunkbase:

"Note: Send events from the LMS appliances -- not from the CM appliance"
Source: https://splunkbase.splunk.com/app/1845/#/details**

If this advice changes, we will update the details page and add CM as a category on the main analytics dashboard. I hope that helps.

View solution in original post

TonyLeeVT
Builder

We figured out the issue and wanted to close the loop here. At this time, we still do not recommend sending events from the CM for a number of reasons. One of those reasons is loss of fidelity.

Please see our recommendation at the top of our details page on Splunkbase:

"Note: Send events from the LMS appliances -- not from the CM appliance"
Source: https://splunkbase.splunk.com/app/1845/#/details**

If this advice changes, we will update the details page and add CM as a category on the main analytics dashboard. I hope that helps.

TonyLeeVT
Builder

When you say "some data from FireEye logs missing"... Are you referring to the Splunk app dashboards not displaying all of the data contained within the XML packet? Or are you referring to the fact that some data did not make it over to the Splunk app?

Can we narrow the issue down to one of the following?
Display vs. Data sent

0 Karma

kiran331
Builder

The data is not getting in to splunk

0 Karma

TonyLeeVT
Builder

Can you send me an email via Help -> Send Feedback within the Splunk app so we can troubleshoot and then post the answer back here? Thanks.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...