All Apps and Add-ons

Why is there missing user information in flow stats?

dw385
Explorer

At Conf 2016 the team at the Cisco booth showed me I can get URL data with estreamer and It was my understanding we can get everything from estreamer that we can with Syslog. We were using Syslog to get the web traffic (users/ urls) but had to move away from that method. Estreamer has the web data as far as the URL under the flow statistics but doesn’t appear to contain the user information. The user field for flow stats is a numerical number, most hits being 9999999 or 9999997. The syslog data had the actual username and we could report on per user data.
We are running version 6.0.1-2 for SourceFire. The options for EStreamer on the Sourcefire configuration has all data selected as being available. We’re running estreamer 2.2.2 on Splunk 6.4.2 with the options for log extra data, log flows, and log metadata enabled.
It actually seems like all of the estreamer data has a number for user. Is this the expected data format and is there way I can translate number to user (assuming the number represents a user in SourceFire).

Labels (1)
0 Karma

Ele
New Member

Hi dw385,

Did you ever get a fix for this? My running FMC 6.6.5.1?

 

thanks

 

0 Karma

douglashurd
Builder

Hello and thanks for the question. I remember our discussion from Splunk .conf I think.

The API uses a lot of encoding. Example: User 9 = "Jim Smith".

An actual user name will get sent to thru the API once and then all subsequent events will just have 'User = 9" . The assumption is that the client will cache a table the says use 'jim smith' when user = 9, the client then writes the event record containing the actual name.

The current Splunk app doesn't reliably perform this lookup. It is the goal to do this in future in a new Splunk app expected early next year.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I was about to post a similar question. It appears at the root of this is that eStreamer isn't quite pulling all the information when used against FMC 6.x as it did against 5.x. As an aside, the Cisco Sourcefire TA also doesn't seem to be correctly transforming what is there into a fully CIM compliant version so ES panels won't get populated fully either from some of this data. I haven't yet determined if this is an important problem or if it'll fix itself (or be trivially fixable) when eStreamer works properly against newer versions of the Sourcefire/FireSIGHT/FMC information.

I do know there's at least some activity being generated behind the scenes on this problem now that a couple of people have made it known that this is happening and I expect someone to start taking a serious look at fixing it now.

0 Karma
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...