CiscoSecurity/fp-05-firepower-cef-connector-arcsight

v3.8.1 - Splunk/JSON outputters are NOT working

Opened this issue · 0 comments

15U12U commented

Hi,

I have recently tried the other outputter formats apart from "CEF" as follows, but the connector is unable to convert the logs to the respective formats.

estreamer.conf

"outputters": [
{
"adapter": "cef",
"enabled": true,
"name": "CEF",
"stream": {
"uri": "udp://X.X.X.X:514"
}
},
{
"adapter": "splunk",
"enabled": true,
"name": "Splunk",
"stream": {
"uri": "udp://Y.Y.Y.Y:514"
}
}
],

Here is the syslog output

11:32:08.480955 IP (tos 0x0, ttl 64, id 44150, offset 0, flags [+], proto UDP (17), length 1500)
hostname.42292 > Y.Y.Y.Y.syslog: [|syslog]
11:32:08.480962 IP (tos 0x0, ttl 64, id 44150, offset 1480, flags [+], proto UDP (17), length 1500)
hostname > Y.Y.Y.Y: udp
11:32:08.480963 IP (tos 0x0, ttl 64, id 44150, offset 2960, flags [+], proto UDP (17), length 1500)
hostname > Y.Y.Y.Y: udp
11:32:08.480964 IP (tos 0x0, ttl 64, id 44150, offset 4440, flags [none], proto UDP (17), length 75)
hostname > Y.Y.Y.Y: udp
11:32:08.481012 IP (tos 0x0, ttl 64, id 44151, offset 0, flags [+], proto UDP (17), length 1500)
hostname.42292 > Y.Y.Y.Y.syslog: [|syslog]
11:32:08.481013 IP (tos 0x0, ttl 64, id 44151, offset 1480, flags [+], proto UDP (17), length 1500)
hostname > Y.Y.Y.Y: udp
11:32:08.481014 IP (tos 0x0, ttl 64, id 44151, offset 2960, flags [+], proto UDP (17), length 1500)
hostname > Y.Y.Y.Y: udp
11:32:08.481015 IP (tos 0x0, ttl 64, id 44151, offset 4440, flags [none], proto UDP (17), length 71)
hostname > Y.Y.Y.Y: udp
11:32:08.481074 IP (tos 0x0, ttl 64, id 44152, offset 0, flags [+], proto UDP (17), length 1500)
hostname.42292 > Y.Y.Y.Y.syslog: [|syslog]
11:32:08.481076 IP (tos 0x0, ttl 64, id 44152, offset 1480, flags [+], proto UDP (17), length 1500)
hostname > Y.Y.Y.Y: udp
11:32:08.481077 IP (tos 0x0, ttl 64, id 44152, offset 2960, flags [+], proto UDP (17), length 1500)
hostname > Y.Y.Y.Y: udp
11:32:08.481078 IP (tos 0x0, ttl 64, id 44152, offset 4440, flags [none], proto UDP (17), length 64)
hostname > Y.Y.Y.Y: udp
11:32:08.481129 IP (tos 0x0, ttl 64, id 44153, offset 0, flags [+], proto UDP (17), length 1500)
hostname.42292 > Y.Y.Y.Y.syslog: [|syslog]
11:32:08.481142 IP (tos 0x0, ttl 64, id 44153, offset 1480, flags [+], proto UDP (17), length 1500)

Moreover, there is a continuous WARNING logging in the estreamer.log as well. But this is not related to the above issue as I observed.

Below is a sample log.

2021-04-09 11:50:22,016 estreamer.pipeline WARNING ParsingException: Invalid block length (6). RecordType=95, Field=data
2021-04-09 11:50:22,016 estreamer.pipeline WARNING Additional data: --BASE64 String--
2021-04-09 11:50:22,016 estreamer.pipeline WARNING ParsingException: Invalid block length (6). RecordType=95, Field=data
2021-04-09 11:50:22,016 estreamer.pipeline WARNING Additional data: --BASE64 String--
2021-04-09 11:50:22,067 estreamer.pipeline WARNING ParsingException: Invalid block length (0). RecordType=95, Field=data
2021-04-09 11:50:22,067 estreamer.pipeline WARNING Additional data: --BASE64 String--