Solved: Imperva CEF not parsing header

joelggoti · ‎06-18-2020

Hi, we have trouble seeing the data, sent by syslog in format cef, from the imperva to splunk. we have Splunk Add-on for Imperva SecureSphere WAF installed.

thanks for your quick response,

regards

marycordova · ‎06-18-2020

this is the configuration in Imperva correct? webUI or something? where is it getting sent to? is this a blackbox Imperva installation or are you running on your own *nix server? the syslog that is transporting this data is somehow getting a binary version of the header instead of the raw text.

what you have there is the payload, but you need to find the syslog configuration itself and validate the implementation along every link in the chain between Imperva config to Splunk input.

@marycordova

View solution in original post

marycordova · ‎06-18-2020

The mangled part of the log event is the syslog header, the part that has the timestamp host/ip etc, something like the below googled sample:

<34>1 2003-10-11T22:14:15.003Z mymachine.example.com cef stuff here

I think if you take a look at your syslog configuration on Imperva and any intermediary systems supporting your syslog transport you should be able to find the issue.

- upvotes appreciated 🤓

@marycordova

joelggoti · ‎06-18-2020

i use this message:

CEF:0|Imperva Inc.|SecureSphere|[SecureSphere version #] |${Alert.alertType}|${Alert.alertMetadata.alertName}|${Alert.severity}|act=${Alert.immediateAction} dst=${Event.destInfo.serverIp} dpt=${Event.destInfo.serverPort} duser=${Alert.username} src=${Event.sourceInfo.sourceIp} spt=${Event.sourceInfo.sourcePort} proto=${Event.sourceInfo.ipProtocol} rt=#arcsightDate (${Alert.createTime}) cat=Alert cs1=${Rule.parent.displayName} cs1Label=Policy cs2=${Alert.serverGroupName} cs2Label=ServerGroup cs3=${Alert.serviceName} cs3Label=ServiceName cs4=${Alert.applicationName} cs4Label=ApplicationName cs5=${Alert.description} cs5Label=Description

regards

marycordova · ‎06-18-2020

this is the configuration in Imperva correct? webUI or something? where is it getting sent to? is this a blackbox Imperva installation or are you running on your own *nix server? the syslog that is transporting this data is somehow getting a binary version of the header instead of the raw text.

what you have there is the payload, but you need to find the syslog configuration itself and validate the implementation along every link in the chain between Imperva config to Splunk input.

@marycordova

joelggoti · ‎06-18-2020

yes, this is the message in the configuration in the imperva box.

I will search and validate the configuration in the imperva and I will notify you. Thanks a lot

richgalloway · ‎06-18-2020

Did you install the Imperva add-on on both the indexer(s)/HF(s) AND the search heads?

---
If this reply helps you, Karma would be appreciated.

joelggoti · ‎06-18-2020

Thanks for answering, we have a single instance and everything is installed.

richgalloway · ‎06-18-2020

Is there a setting in Imperva where the binary data in the CEF events can be removed?

---
If this reply helps you, Karma would be appreciated.

Imperva CEF not parsing header

configuration

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)