Why is Check Point OPSEC LEA is parsing out dst to...

nb1030 · ‎06-06-2018

In the logs for "New Anti Virus", the logs contain a "dst=" and "src=" field. For some logs, it is placing the "dst=" value into both the dst and the src fields. In other logs, it is placing the "dst=" value into the src field, and the "src=" value into the dst field. In other logs, it is putting the "dst=" value into both fields, but these logs then have the dest, dest_ip, and src_ip fields that contain the wrong values.

Examples for the "New Anti Virus" logs:
Log type 1
log contains dst=10.20.30.40; dst field contains 10.20.30.40
log contains src=50.60.70.80; src field contains 10.20.30.40

Log type 2
log contains dst=10.20.30.40; dst field contains 50.60.70.80
log contains src=50.60.70.80; src field contains 10.20.30.40

Log type 3
log contains dst=10.20.30.40; dst field contains 10.20.30.40, dest field contains 50.60.70.80, dest_ip=50.60.70.80
log contains src=50.60.70.80; src field contains 10.20.30.40, src_ip field contains 10.20.30.40

Is there anyway to fix this?

mgaudie_splunk · ‎06-12-2018

Looks like an issue with the field alaising. Have you made any changes to the add-on's props.conf file or added a local props.conf file?

nb1030 · ‎06-28-2018

We have a ticket open now as it seems there are a few reasons this could be happening.

astatrial · ‎04-10-2019

Hello,
Did you manage to figure out the reason for this behavior ?
Thanks !!

Why is Check Point OPSEC LEA is parsing out dst to src and src to dst?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases