Getting Data In

Can't Extract CEF Fields in Distributed Environment

aferone
Builder

Hello to all.

I am using the CEF Extraction TA for extracting CEF fields in a FireEye log.  When I test this on a standalone system with Indexer and Search Head, the cs#Label fields extract correctly.

As soon as I put this in an environment with a Heavy Forwarder, Indexer, and Search Head distributed (or even just Indexer and Search Head)., the fields will not extract.  

I am at my wit's end here.

Help?  Thanks!

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aferone,

where did you  install the TA?

You have to mandatory install it on HF and SH, I usually install it also on Indexers but it isn't mandatory (as the others).

Ciao.

Giuseppe

0 Karma

aferone
Builder

Hello Giuseppe, 

Yes, it is currently installed on all 3, actually.

Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aferone,

check the sourcetype assigned in your input and verify if it's the same requested in TA's props.conf.

Ciao.

Giuseppe

0 Karma

aferone
Builder

I actually copied the props and transforms stanzas from the TA and applied them to the sourcetype in which we need to extract from.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aferone,

I suppose that you assigned the "cefevents" sourcetype to your input.

Why aren't you using the TA, only adding the inputs.conf?

Then, You said that youìre using this TA for FireEye, did you explored the dedicated TA for FireEye (https://splunkbase.splunk.com/app/1904)?

There are some restrictions:

When you should not use this TA:

This Technology Add-on (TA) is not necessary for simple Splunk installations (e.g. Single Splunk install -- no forwarders or separate indexers)

Instead just install the app located here: https://apps.splunk.com/app/1845

When you should use this TA:

This TA supports the FireEye_v3 app. It does not contain any dashboards and should be installed on Splunk indexers while the app itself installed on the search head.

but maybe it's better for your distributed environment.

ciao.

Giuseppe

0 Karma

aferone
Builder

Surprisingly, the FireEye TA will extract the CEF headers but not the other cs#Label fields.  This is why we are going down this road. 🙂

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aferone,

really strange!

anyway, I suppose that you assigned the "cefevents" sourcetype to your input.

Why aren't you using the TA, only adding the inputs.conf, instead taking props.conmf and transforms.conf?

Ciao.

Giuseppe

0 Karma

aferone
Builder

Because we don't want to assign FireEye events to a sourcetype of "cefevents".  "cefevents" is too broad and doesn't mean anything.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aferone,

Ok, correct.

I suppose that you created a new add-on with a different sourcetype and you deployed this TA to all machines.

what's the sourcetype of the events not correctly parsed?

Ciao.

Giuseppe

0 Karma

aferone
Builder

I'm starting to wonder if the FIreEye TA, which also has "hx_cef_syslog", is conflicting because that is also installed.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...