Splunk Enterprise

Imperva CEF not parsing header

joelggoti
Explorer

MicrosoftTeams-image (1).png

Hi, we have trouble seeing the data, sent by syslog in format cef, from the imperva to splunk. we have Splunk Add-on for Imperva SecureSphere WAF installed.

thanks for your quick response,

 

regards

Labels (1)
1 Solution

marycordova
SplunkTrust
SplunkTrust

this is the configuration in Imperva correct?  webUI or something?  where is it getting sent to?  is this a blackbox Imperva installation or are you running on your own *nix server?  the syslog that is transporting this data is somehow getting a binary version of the header instead of the raw text.  

what you have there is the payload, but you need to find the syslog configuration itself and validate the implementation along every link in the chain between Imperva config to Splunk input.

View solution in original post

marycordova
SplunkTrust
SplunkTrust

The mangled part of the log event is the syslog header, the part that has the timestamp host/ip etc, something like the below googled sample:

<34>1 2003-10-11T22:14:15.003Z mymachine.example.com cef stuff here

I think if you take a look at your syslog configuration on Imperva and any intermediary systems supporting your syslog transport you should be able to find the issue.

 

- upvotes appreciated 🤓

joelggoti
Explorer

i use this message:

CEF:0|Imperva Inc.|SecureSphere|[SecureSphere version #] |${Alert.alertType}|${Alert.alertMetadata.alertName}|${Alert.severity}|act=${Alert.immediateAction} dst=${Event.destInfo.serverIp} dpt=${Event.destInfo.serverPort} duser=${Alert.username} src=${Event.sourceInfo.sourceIp} spt=${Event.sourceInfo.sourcePort} proto=${Event.sourceInfo.ipProtocol} rt=#arcsightDate (${Alert.createTime}) cat=Alert cs1=${Rule.parent.displayName} cs1Label=Policy cs2=${Alert.serverGroupName} cs2Label=ServerGroup cs3=${Alert.serviceName} cs3Label=ServiceName cs4=${Alert.applicationName} cs4Label=ApplicationName cs5=${Alert.description} cs5Label=Description

regards

0 Karma

marycordova
SplunkTrust
SplunkTrust

this is the configuration in Imperva correct?  webUI or something?  where is it getting sent to?  is this a blackbox Imperva installation or are you running on your own *nix server?  the syslog that is transporting this data is somehow getting a binary version of the header instead of the raw text.  

what you have there is the payload, but you need to find the syslog configuration itself and validate the implementation along every link in the chain between Imperva config to Splunk input.

View solution in original post

joelggoti
Explorer

yes, this is the message in the configuration in the imperva box.

I will search and validate the configuration in the imperva and I will notify you. Thanks a lot

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Did you install the Imperva add-on on both the indexer(s)/HF(s) AND the search heads?
---
If this reply helps you, an upvote would be appreciated.

joelggoti
Explorer

Thanks for answering, we have a single instance and everything is installed.

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Is there a setting in Imperva where the binary data in the CEF events can be removed?
---
If this reply helps you, an upvote would be appreciated.
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!