Hello,
I recently updated the Fire Eye TA to version 3 and now I am not receiving any data. I have 6 indexers, 4 search heads, with many UF's. I have the TA installed on the indexers only, and the app on the search heads, the app is working with previous data. My index is security and sourcetype is hx_cef_syslog, and I have the below files in default. Can anyone see what I'm doing wrong?
[eventtypes.conf file]
[fe]
search = sourcetype=fe_(splat) OR sourcetype=hx_(splat)
[my props.conf file]
Stanzas in this file
- syslog - Should probably not be used unless desparate
- fe_json_syslog
- fe_xml_syslog - JSON is preferred
- hx_cef_syslog
- fe_cef_syslog
- fe_csv_syslog
- fe_xml - JSON is preferred
- fe_json
- fe_tap_json
Can convert syslog to other sourcetypes, but sourcetype should be specified elsewhere
[syslog]
The next two line use transforms.conf to send the syslog events and rename them to something other than syslog. fe_xml_syslog and fe_xml_json should be sent directly as those sourcetypes.
TRANSFORMS-updateFireEyeSourcetypes = fix_FireEye_CEF_st, fix_FireEye_CSV_st, fix_FireEye_XML_st, fix_FireEye_JSON_st
TRANSFORMS-updateFireEyeHXSourcetypes = fix_HX_CEF_st, fix_HX2_CEF_st
Uncomment the next line to send FireEye data to a separate index called "security"
TRANSFORMS-updateFireEyeIndex = fix_FireEye_CEF_in, fix_FireEye_CSV_in, fix_FireEye_XML_in, fix_FireEye_JSON_st, fix_HX_CEF_in, fix_HX2_CEF_in
FireEye JSON over SYSLOG ###### - RECOMMENDED INSTEAD OF XML
[fe_json_syslog]
SHOULD_LINEMERGE = false
KV_MODE=json
TRUNCATE = 0
SEDCMD-carriage_return = s/[\n\r]/ /g
SEDCMD-remove_nulls = s/\x00//g
LINE_BREAKER = (?:<\d+>fenotify-\d+.?:)
Strip the SYSLOG header off to make it JSON
TRANSFORMS-stripSyslog = FEYE-syslog-header-strip
FIELDALIAS-category_for_fireeye = alert.name as category
FIELDALIAS-id_for_fireeye = alert.id as id
FIELDALIAS-signature_for_fireeye = alert.explanation.malware-detected.malware.name as signature
FIELDALIAS-sig_name_for_fireeye = alert.explanation.ips-detected.sig-name as sig_name
FIELDALIAS-severity_for_fireeye = alert.severity as severity
FIELDALIAS-occurred_for_fireeye = alert.occurred as occurred
FIELDALIAS-transport_for_fireeye = alert.explanation.protocol as transport
FIELDALIAS-src_ip_for_fireeye_app = alert.src.ip as src_ip
FIELDALIAS-src_for_fireeye = alert.src.ip as src
FIELDALIAS-src_port_for_fireeye = alert.src.port as src_port
FIELDALIAS-src_mac_for_fireeye = alert.src.mac as src_mac
FIELDALIAS-dest_ip_for_fireeye_app = alert.dst.ip as dest_ip
FIELDALIAS-dest_for_fireeye = alert.dst.ip as dest
FIELDALIAS-dest_port_for_fireeye = alert.dst.port as dest_port
FIELDALIAS-dest_mac_for_fireeye = alert.dst.mac as dest_mac
FIELDALIAS-file_hash_for_fireeye = alert.explanation.malware-detected.malware.md5sum as file_hash
FIELDALIAS-dvc_ip_cm_for_fireeye = alert.sensor-ip as dvc_ip
FIELDALIAS-dvc_host_cm_for_fireeye = alert.sensor as dvc_host
FIELDALIAS-dvc_ip_for_fireeye = host as dvc_ip
FIELDALIAS-dvc_host_for_fireeye = appliance as dvc_host
EVAL-dvc_host = coalesce(appliance, alert.sensor)
FIELDALIAS-app_for_fireeye = alert.explanation.malware-detected.malware.application as app
FIELDALIAS-action_for_fireeye = alert.action as action
FIELDALIAS-infURL_for_fireeye = alert.explanation.cnc-services.cnc-service.address as infURL
FIELDALIAS-objURL_for_fireeye = alert.explanation.malware-detected.malware{}.objurl as objURL
This next product extraction line overrides the CM entry if it exists
FIELDALIAS-product_for_fireeye = alert.product as product
FIELDALIAS-product_version_for_fireeye = version as product_version
FIELDALIAS-ext_ref_for_fireeye = alert.alert-url as ext_ref
product = product
EX Fields
FIELDALIAS-duser_for_fireeye = alert.dst.smtp-to AS duser
FIELDALIAS-suser_for_fireeye = alert.src.smtp-mail-from AS suser
FIELDALIAS-duser_array_for_fireeye = alert{}.dst.smtp-to AS duser
FIELDALIAS-suser_array_for_fireeye = alert{}.src.smtp-mail-from AS suser
FIELDALIAS-malware_url_for_fireeye = alert.src.url as malware_url
FIELDALIAS-id_array_for_fireeye = alert{}.id as id
FIELDALIAS-signature_array_for_fireeye = alert{}.explanation.malware-detected.malware.name as signature
FIELDALIAS-severity_array_for_fireeye = alert{}.severity as severity
FIELDALIAS-occurred_array_for_fireeye = alert{}.occurred as occurred
FIELDALIAS-file_hash_array_for_fireeye = alert{}.explanation.malware-detected.malware.md5sum as file_hash
FIELDALIAS-email_file_name_for_fireeye = alert{}.explanation.malware-detected.malware.original as file_name
FIELDALIAS-recipient_for_fireeye = duser as recipient
FIELDALIAS-src_usr_for_fireeye = suser as src_user
FIELDALIAS-email_subject_for_fireeye = alert.smtp-message.subject as subject
FIELDALIAS-email_id_for_fireeye = id as message_id
Client request
EXTRACT-header_dest_for_fireeye = "http-header": "\S+ [^:]+://(?[^/]+)/
EXTRACT-channel_dest_for_fireeye = "channel": "\S+ [^:]+://(?[^/]+)/
EXTRACT-objurl_dest_for_fireeye = "objurl": "((\S+)? [^:]+://)?(?[^/]+)
FIELDALIAS-dnd_address = alert.explanation.cnc-services.cnc-service.address AS cnc_address
FIELDALIAS-cnc_msg = alert.explanation.cnc-services.cnc-service.channel AS cnc_msg
FIELDALIAS-fe_url = alert.explanation.malware-detected.malware{}.objurl AS url
FireEye XML over SYSLOG ###### - WE RECOMMEND JSON DUE TO LOWER BROWSER MEMORY USAGE
[fe_xml_syslog]
SHOULD_LINEMERGE = false
KV_MODE=xml
TRUNCATE=0
SEDCMD-carriage_return = s/[\n\r]/ /g
LINE_BREAKER = (?:<\d+>fenotify-\d+.?:)(\s</code>
... View more