Hello to all.
I am using the CEF Extraction TA for extracting CEF fields in a FireEye log. When I test this on a standalone system with Indexer and Search Head, the cs#Label fields extract correctly.
As soon as I put this in an environment with a Heavy Forwarder, Indexer, and Search Head distributed (or even just Indexer and Search Head)., the fields will not extract.
I am at my wit's end here.
Help? Thanks!
Hi @aferone,
where did you install the TA?
You have to mandatory install it on HF and SH, I usually install it also on Indexers but it isn't mandatory (as the others).
Ciao.
Giuseppe
Hello Giuseppe,
Yes, it is currently installed on all 3, actually.
Thanks!
Hi @aferone,
check the sourcetype assigned in your input and verify if it's the same requested in TA's props.conf.
Ciao.
Giuseppe
I actually copied the props and transforms stanzas from the TA and applied them to the sourcetype in which we need to extract from.
Hi @aferone,
I suppose that you assigned the "cefevents" sourcetype to your input.
Why aren't you using the TA, only adding the inputs.conf?
Then, You said that youìre using this TA for FireEye, did you explored the dedicated TA for FireEye (https://splunkbase.splunk.com/app/1904)?
There are some restrictions:
When you should not use this TA:
This Technology Add-on (TA) is not necessary for simple Splunk installations (e.g. Single Splunk install -- no forwarders or separate indexers)
Instead just install the app located here: https://apps.splunk.com/app/1845
When you should use this TA:
This TA supports the FireEye_v3 app. It does not contain any dashboards and should be installed on Splunk indexers while the app itself installed on the search head.
but maybe it's better for your distributed environment.
ciao.
Giuseppe
Surprisingly, the FireEye TA will extract the CEF headers but not the other cs#Label fields. This is why we are going down this road. 🙂
Hi @aferone,
really strange!
anyway, I suppose that you assigned the "cefevents" sourcetype to your input.
Why aren't you using the TA, only adding the inputs.conf, instead taking props.conmf and transforms.conf?
Ciao.
Giuseppe
Because we don't want to assign FireEye events to a sourcetype of "cefevents". "cefevents" is too broad and doesn't mean anything.
Hi @aferone,
Ok, correct.
I suppose that you created a new add-on with a different sourcetype and you deployed this TA to all machines.
what's the sourcetype of the events not correctly parsed?
Ciao.
Giuseppe
I'm starting to wonder if the FIreEye TA, which also has "hx_cef_syslog", is conflicting because that is also installed.