Luke,
Probably scenario 1 is what we are looking at when talking about logs from IDS, Firewalls, Mcafee, Windows, etc. So translation is probably necessary however even with this we still have the problem of delivery, timing and performance monitoring.

I have feedback from others out in the field regarding the SPLUNK to ArcSight integration:

"Two things it doesn't seem to address is the timing issues and health monitoring. It's aim is to fix the formatting issues so you can use a standard ArcSight connector in a standard configuration but it doesn't seem to address any other the other issues with relaying events through Splunk.

Two of the biggest problems with relaying your events through Splunk is the timing issues it creates with late events and the lack of device/health monitoring that you would normally have if you were getting it straight from a An ArcSight connector.

I can elaborate further if needed but it is my understanding that the Splunk CEF app only addresses formatting it doesn't address delivery, event time or health monitoring issues which plague that configuration."

Spot on and thank you.

Hi Luke & danje57,

I am doing a similar setup log source (not CEF) -> SPlunk -> Log output (CEF) and could not make this work... do you guys have any updates or have seen such setup that worked?

Anybody on this thread ever been able to get the Splunk App for CEF to work properly? I have been working with Splunk support for two months now, and they can't make it work?

@tlmayes: What version of CEF are you using?

Version 2.0.0

@tlmayes: Could you create a new post with the particulars of the issue you are seeing?

To your question about creating a new post, already there. Posted back in May

https://answers.splunk.com/answers/529140/cef-output-forwarding-everything-from-all-indexes.html

Ultimately trying to forward events from a Splunk index to ArcSight, which requires CEF format. Going through the installation process on stand-alone host, everything works fine, i.e. the "dummy" ArcSight server receives the exact CEF formatted event as expected.

Duplicating the process on a clustered production environment: Create the datamodel/dataset, map the fields, etc, import the created App to each of the clustered indexers, restart the indexers (required), and wait..... this time the dummy ArcSight server receives 100% of everything (and no CEF formatted data).

The only difference from my perspective is clustering vs. no clustering, and separation between indexers and SH's (test was on standalone all-in-one).

Regarding your comment above: "The App's implementation of CEF is defined by a user-editable file at lookups/cef_inventory.csv so that you can address any drift introduced by your organization or HP;"

Are you telling me that this .csv file is being used to correct delivery, timing and performance monitoring issues that have been plaguing this configuration today out in the field?

Do you have evidence of that? Do you know of any SPLUNK ----> ArcSight implementations that have been stood up and working now in the field without any of these timing or delivery issues mentioned above?

CSV will not solve these issue. But with it you can modify CEF format on the fly

If you can modify the SPLUNK CEF output to match the ArcSight CEF output it's good but if the date/time stamps and delivery is off, then you are looking at data integrity issues.

This is not good for correct data results especially in the security field where requests are made daily for information based on date/time periods.

In short, SPLUNK App for CEF does not appear to be all the way there yet. It doesn't appear to be 100% reliable for what it's supposed to be doing.

Ok, I think I see what you mean now. Just added an answer outlining the two use cases.

Luke,
Scenario 2 assumes that the SPLUNK output is a common event format for all systems.

This is not exactly correct because the SPLUNK CEF is different than the ArcSight CEF so you still need special formatting from the SPLUNK output EVEN IF the original Log source was in a CEF format.

At this point CEF becomes subjective as to which is the correct CEF.

ArcSight Inc. is considered the originators of the Common Event Format with their flagship SEIM product ArcSight ESM. From there came a lot of copycats of which SPLUNK was one of them.

SPLUNK CEF does not follow the same standard as ArcSight CEF who originated it. Therefore, special formatting needs to be done in order to make the SPLUNK out put match the ArcSight CEF format thus the reason that the SPLUNK app for CEF was developed.

The delivery, timing and performance monitoring issues still exist however even when the SPLUNK output is formatted for CEF data.

The question I have is can SPLUNK app for CEF create a true, clean data stream that can be channeled to Arcsight without all the above mentioned issues?

Is there any way that SPLUNK can look at some of these data integrity issues when trying to integrate with ArcSight?

Hi,

we've included a CEF mapping as provided by Hewlett Packard's publicly posted standard, but can certainly understand that actual implementation drifts from published standards, particularly when the product allows local customization. The App's implementation of CEF is defined by a user-editable file at lookups/cef_inventory.csv so that you can address any drift introduced by your organization or HP; no restart of Splunk is necessary.

Yes, as danje57 explains below.

The goal is to take the SPLUNK output and send it to ArcSight for correlation and monitoring.

Do you have a better way to do this without using the SPLUNK cef app?