All Apps and Add-ons

Why is there missing user information in flow stats?

dw385
Explorer

At Conf 2016 the team at the Cisco booth showed me I can get URL data with estreamer and It was my understanding we can get everything from estreamer that we can with Syslog. We were using Syslog to get the web traffic (users/ urls) but had to move away from that method. Estreamer has the web data as far as the URL under the flow statistics but doesn’t appear to contain the user information. The user field for flow stats is a numerical number, most hits being 9999999 or 9999997. The syslog data had the actual username and we could report on per user data.
We are running version 6.0.1-2 for SourceFire. The options for EStreamer on the Sourcefire configuration has all data selected as being available. We’re running estreamer 2.2.2 on Splunk 6.4.2 with the options for log extra data, log flows, and log metadata enabled.
It actually seems like all of the estreamer data has a number for user. Is this the expected data format and is there way I can translate number to user (assuming the number represents a user in SourceFire).

Labels (1)
0 Karma

Ele
New Member

Hi dw385,

Did you ever get a fix for this? My running FMC 6.6.5.1?

 

thanks

 

0 Karma

douglashurd
Builder

Hello and thanks for the question. I remember our discussion from Splunk .conf I think.

The API uses a lot of encoding. Example: User 9 = "Jim Smith".

An actual user name will get sent to thru the API once and then all subsequent events will just have 'User = 9" . The assumption is that the client will cache a table the says use 'jim smith' when user = 9, the client then writes the event record containing the actual name.

The current Splunk app doesn't reliably perform this lookup. It is the goal to do this in future in a new Splunk app expected early next year.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I was about to post a similar question. It appears at the root of this is that eStreamer isn't quite pulling all the information when used against FMC 6.x as it did against 5.x. As an aside, the Cisco Sourcefire TA also doesn't seem to be correctly transforming what is there into a fully CIM compliant version so ES panels won't get populated fully either from some of this data. I haven't yet determined if this is an important problem or if it'll fix itself (or be trivially fixable) when eStreamer works properly against newer versions of the Sourcefire/FireSIGHT/FMC information.

I do know there's at least some activity being generated behind the scenes on this problem now that a couple of people have made it known that this is happening and I expect someone to start taking a serious look at fixing it now.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...