I setup correctly Cisco eStreamer 3.0.0 but I see that is not CIM and Enterprise Security won't see the data correctly.
Does anyone know if there will be a new version of CIM? Or the best way is to use the old 2.2.2 which is CIM?
Why do you say it is not CIM?
I took a look at the tags and eventtypes and they will surely be matched agains CIM. Am I missing something here?
I saw that there's no CIM in the app description, so I thought it was not compliant.
After investigating a bit I could see a few tag and eventypes, but i don't see anything matched.
In the logs I receive there's a lot of fields that are not matched (here the list of the possible fields I have).
I'm pretty sure that I should have a ton of other fields. Can you confirm that I should see more things?
The fields you should see strictly depend on what DataModel are your events being mapped against.
The list of fields you are showing me are pretty much the expected ones for NetworkTraffic DataModel I think, so don't assume it is not CIM compliant.
More, you don't need to have all the fields of a data model in your data. Rarely you'll have them all in fact.
Check here which fields each Data model of enterprise security has.
It seems that there are no tags so the data cannot be used in any datamodel. Is this a normal behavior?
In estreamer TA there are no Tags, in estreamer dashboard there are eventtypes but again no tags.
I put a picture here:
In the new eStreamer eNcore I found a couple issues that might cause this:
Example, I changed:
I confirm this is how I solved.
I solved fixing the tags inside the estreamer dashboard.