All Apps and Add-ons

SPLUNK App for CEF: Do you have to map every event one by one or is there a way to get a full export of Splunk data all at once?

jtsapos
Explorer

According to the SPLUNK App for CEF documentation:

3) Use the guided search wizard included in the Splunk App for CEF to define what the output will look like in CEF by selecting a data model, mapping data model attributes to fields where necessary (a good amount of this work will be done automatically), creating any new static fields you need, and defining the name of the syslog receiver that will receive the data.

4) Using the search description that you defined with the Splunk App for CEF, Splunk Enterprise writes the data in CEF to the syslog receiver you specified, for use by HP ArcSight or another compatible tool.

You mention that the SPLUNK app for CEF provides a continuous export of the data from SPLUNK which sounds great, but the question I have on this is "Do you have to map every event one by one first or is there some way to just get a full export of the SPLUNK data all at once?"

Thanks in advance.

LukeMurphey
Champion

I'm confused on why you would use Splunk App for CEF as well as the CIM extraction utilities. Are you saying that you just want to ingest CEF events into Splunk and then send them on to another device (in the same format)?

0 Karma

LukeMurphey
Champion

BTW: if that is the case, I think a much simpler solution exists. I'll provide an answer if you confirm that is the scenario you are looking to fulfill.

0 Karma

jtsapos
Explorer

From your comment above: "I mean, we have to indicate to SACEF all data sources to translate into the CEF format. This mean that we need to modify the Data Model for each new sourcetype we want to translate in to CEF."

Even if you can somehow get these data models configured correctly you still have timing and delivery issues as well as health monitoring issues...

For security monitoring you cannot sacrifice accurate event times or correct delivery of events. You will have loss of data integrity which is unacceptable when reporting security events.

Is there any way that SPLUNK can look at some of these data integrity issues when trying to integrate with ArcSight?

Does the SPLUNK team agree or disagree that there are data integrity issues with the SPLUNK ---> ArcSight integration?

Any feedback is appreciated.. Thanks

0 Karma

danje57
Path Finder

Yes, I agree.

I read a doc that explain how to use a heavy forwarder for such thing... but it doesn't support CEF...

I don't know if a Splunk Professional Service read the forum to explain how to deal with this difficulties...

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Thank you, I've updated the docs to try and clarify the point of confusion about what App for CEF does.

It's not accurate to say that you need to alter your data model for every sourcetype that you want to send... rather you might add a transform to that sourcetype. Much of the time, you'll find that this is already done because the Add-on or App that helped gather the data is Common Information Model compliant. An example might help:

  1. You install the Windows Add-on, the CIM, and the App for CEF... now you've got several data models for concepts like Authentication and Change Analysis, and you can use the App for CEF to just grab any Change Analysis events and send them to on your SIEM.
  2. Then you install the Cisco ASA Add-on, and since it's CIM-compliant too, any reconfigurations to your ASA devices also get caught by the Change Analysis model and sent to the SIEM.
  3. Then you install the Oracle Database Add-on, same thing...
  4. Then you point it at your home-grown middleware... and you just need to tag the change analysis events to have the same thing happen.
0 Karma

jtsapos
Explorer

With all these additional steps required to finally get something over to ArcSight for correlation, you can imagine there must be some loss of data integrity somewhere along the way.

I have feedback from others out in the field regarding the SPLUNK to ArcSight integration:

"Two things it doesn't seem to address is the timing issues and health monitoring. It's aim is to fix the formatting issues so you can use a standard ArcSight connector in a standard configuration but it doesn't seem to address any other the other issues with relaying events through Splunk.

Two of the biggest problems with relaying your events through Splunk is the timing issues it creates with late events and the lack of device/health monitoring that you would normally have if you were getting it straight from a An ArcSight connector.

I can elaborate further if needed but it is my understanding that the Splunk CEF app only addresses formatting it doesn't address delivery, event time or health monitoring issues which plague that configuration."

For security monitoring you cannot sacrifice accurate event times or correct delivery of events. You will have loss of data integrity which is unacceptable when reporting security events.

Is there any way that SPLUNK can look at some of these data integrity issues when trying to integrate with ArcSight?

0 Karma

danje57
Path Finder

No answer?
It seeams that the application is bad and the document doesn't contain lot of information regarding the configuration of the data model

0 Karma

jtsapos
Explorer

Not very encouraging then, is it?

I'm surprised we cannot get an answer for this SPLUNK app from the SPLUNK team...

0 Karma

LukeMurphey
Champion

I suspect the problem is that people don't understand what this means: "Do you have to map every event one by one first or is there some way to just get a full export of the SPLUNK data all at once?"

Could you clarify? The app doesn't export a single event but all events within the selected data-model. By event, do you mean data-model?

0 Karma

jtsapos
Explorer

By event I mean every event with an event ID. From the description above, it looks like data model is translated into events?

In any case though, it looks like you create a "search description" within the SPLUNK app for CEF and using that search description SPLUNK Enterprise writes the data in CEF to the Syslog receiver you specify.

What about other receivers such as Sourcefire, Tripwire, Symantec, Mcafee, etc.?

SPLUNK app for CEF looks like it may work for Syslog data but I don't know about other different log types.

Also, I have info from others out in the field regarding the SPLUNK to ArcSight integration:

"Two things it doesn't seem to address is the timing issues and health monitoring. It's aim is to fix the formatting issues so you can use a standard ArcSight connector in a standard configuration but it doesn't seem to address any other the other issues with relaying events through Splunk. Two of the biggest problems with relaying your events through Splunk is the timing issues it creates with late events and the lack of device/health monitoring that you would normally have if you were getting it straight from a An ArcSight connector. I can elaborate further if needed but it is my understanding that the Splunk CEF app only addresses formatting it doesn't address delivery, event time or health monitoring issues which plague that configuration."

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, thanks -- that helps me understand the question.

1) The app works by modeling data that has been received into Splunk and then emitting a CEF formatted stream. Its functionality hasn't got anything to do with event IDs, at least as we understand them.
2) If your receiver doesn't want CEF over syslog, then you probably don't need this app, and can use Splunk's native syslog output or outputcsv or pull from one of our APIs instead. You may still find the app handy as an example of how you can manipulate data for such an output though.
3) I agree that the app is not intended or designed for that purpose. A better way to handle such a use case is to do it in Splunk directly and pass the results to the next system down the pipeline.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...