All Apps and Add-ons

eNcore correlation events SRC and DEST IP addresses fields as INTEGER

mcatanoi
New Member

Hi,

The Correlation Events received via eStreamer are processed by eNcore app in a wrong format for SRC and DEST IP addresses fields, which are presented as INTEGER values, rather than IPs.

per example:
rec_type=112 rec_type_desc="Correlation Event" src_ip=3117469894 dest_ip=182909563

Can you fix it please?

Thank you

0 Karma

douglashurd
Builder

Any chance you had Meta Data switched off on the FMC estreamer configuration page? We haven't seen this on other customer sites.

0 Karma

mcatanoi
New Member

Hi,

We've fixed this issue by modifying the following lines into the encore\estreamer\definitions\blocks_series1.py

...127
BLOCK_USER_LOGIN_INFORMATION_54: [
...
{ 'type': TYPE_IPV4, 'name': 'ipv4Address' },
{ 'type': TYPE_IPV6, 'name': 'ipv6Address' },
...

It would be great if the author of this app will submit these changes for the next release.

Thank you

0 Karma

p_gurav
Champion

Hi mcatanoi,

  • Please check the sourcetype is properly mapped for those events
  • Also check the format of extraction defined for this sourcetype is match with pattern of events you are getting.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!