Splunk Enterprise

Imperva CEF not parsing header

joelggoti
Explorer

MicrosoftTeams-image (1).png

Hi, we have trouble seeing the data, sent by syslog in format cef, from the imperva to splunk. we have Splunk Add-on for Imperva SecureSphere WAF installed.

thanks for your quick response,

 

regards

Labels (1)
1 Solution

marycordova
SplunkTrust
SplunkTrust

this is the configuration in Imperva correct?  webUI or something?  where is it getting sent to?  is this a blackbox Imperva installation or are you running on your own *nix server?  the syslog that is transporting this data is somehow getting a binary version of the header instead of the raw text.  

what you have there is the payload, but you need to find the syslog configuration itself and validate the implementation along every link in the chain between Imperva config to Splunk input.

@marycordova

View solution in original post

marycordova
SplunkTrust
SplunkTrust

The mangled part of the log event is the syslog header, the part that has the timestamp host/ip etc, something like the below googled sample:

<34>1 2003-10-11T22:14:15.003Z mymachine.example.com cef stuff here

I think if you take a look at your syslog configuration on Imperva and any intermediary systems supporting your syslog transport you should be able to find the issue.

 

- upvotes appreciated 🤓

@marycordova

joelggoti
Explorer

i use this message:

CEF:0|Imperva Inc.|SecureSphere|[SecureSphere version #] |${Alert.alertType}|${Alert.alertMetadata.alertName}|${Alert.severity}|act=${Alert.immediateAction} dst=${Event.destInfo.serverIp} dpt=${Event.destInfo.serverPort} duser=${Alert.username} src=${Event.sourceInfo.sourceIp} spt=${Event.sourceInfo.sourcePort} proto=${Event.sourceInfo.ipProtocol} rt=#arcsightDate (${Alert.createTime}) cat=Alert cs1=${Rule.parent.displayName} cs1Label=Policy cs2=${Alert.serverGroupName} cs2Label=ServerGroup cs3=${Alert.serviceName} cs3Label=ServiceName cs4=${Alert.applicationName} cs4Label=ApplicationName cs5=${Alert.description} cs5Label=Description

regards

0 Karma

marycordova
SplunkTrust
SplunkTrust

this is the configuration in Imperva correct?  webUI or something?  where is it getting sent to?  is this a blackbox Imperva installation or are you running on your own *nix server?  the syslog that is transporting this data is somehow getting a binary version of the header instead of the raw text.  

what you have there is the payload, but you need to find the syslog configuration itself and validate the implementation along every link in the chain between Imperva config to Splunk input.

@marycordova

joelggoti
Explorer

yes, this is the message in the configuration in the imperva box.

I will search and validate the configuration in the imperva and I will notify you. Thanks a lot

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Did you install the Imperva add-on on both the indexer(s)/HF(s) AND the search heads?
---
If this reply helps you, Karma would be appreciated.

joelggoti
Explorer

Thanks for answering, we have a single instance and everything is installed.

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Is there a setting in Imperva where the binary data in the CEF events can be removed?
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...