New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Lieutenant Commander
Lieutenant Commander
1636 views

Want to see Rule Name instead of Rule ID in Logger, when it comes from Estreamer.

All,

We have Estreamer running over firepower and sending logs via APi - Now the thing is in logger we can not see the Rule name, there is only rule ID. Is it possible to get Rule Name in any fields in Logger. So that we dont have to check in FMC eveytime which rule exactly triggered. 

PS: I dont want to create list of Rule name and then map to their respective Rule ID, this gonna be very very long path. 

Any suggestion is heartily appreciated!!

Thanks

Labels (1)
0 Likes
15 Replies
Highlighted
Captain Captain
Captain

AHello jjoshi, Are you using the connector or the script? Cause there is a script that you can use to grab the events and send them to your syslog connector.
Highlighted
Lieutenant Commander
Lieutenant Commander

Hi Roy, i am using script. Just for me clerification, you have mentioned events - i am getting all kinds of events but just wondering for the Rule Name instead of Rule ID. But thanks much for your response.!!
0 Likes
Highlighted
Captain
Captain

Hello Joshi,

Are you getting the field " Rule Name" in any of the normalized log fields? Or even in Raw logs.

If yes, you can map any of the arcsight field to " Rule Name" using Additional regex parser.

If it is coming in any of the "ad." fields you can simply map it using additional mapping via ESM.

 

regards

Sharan bhat

Highlighted
Lieutenant Commander
Lieutenant Commander

Hi Sharan,

Thanks for the additional information. 

So, i checked in RAW logs and in normalized log fields. No real Rule Name, in the "deviceCustomString2Label" - coming as "fwRule" that it.  And "deviceCustomString2" with the Rule ID.

Any additional help would be appreciated!

Best.

Jay Joshi

0 Likes
Highlighted
Captain
Captain

Hello Jay,

 

I am afraid without the Rule Name getting captured in the raw log or in any of the field. We wont be able to map it.

If possible pls paste the sample of the raw log here. I can take a look at it once.

 

regards

Sharan bhat

 

0 Likes
Highlighted
Lieutenant Commander
Lieutenant Commander

Hi Sharan,

Attached is the screenshot from logger. Any help would be appreciated!

0 Likes
Highlighted
Lieutenant Commander
Lieutenant Commander

My bad i have attached the logger screenshot, will add the RAW log sample soon. Thanks!

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

Are you using the old implementation with the perl script to connect to the eStreamer server? A much better version has been created by Cisco to hook up eStreamer with ArcSight, though it is not currently in the documentation.

If you are using the old perl script, i would recommend switching first, not much work (actually lot less since the new script does not require any database access or anything).

If you are using the new script already, or even the old, go to ESM, right click the connector, choose send command, mappings, get additional mappings, then copy paste the result you get in return 🙂

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
Highlighted
Lieutenant Commander
Lieutenant Commander

Thanks Marius,

I am using the old perl script.

The result you asked for are as follows;

Additional Data Names Seen:

Vendor/product [ArcSight/ArcSight]:

    message [7 times]

Vendor/product [Cisco/Sourcefire]:

    bytesIn [52477977 times]

    bytesOut [74287444 times]

    requestUrl [7 times]

Vendor/product [Unix/Unix]:

    anacronStartedDate [25 times]

    coreVersion [2 times]

    sshVersion [12 times]

0 Likes
Highlighted
Lieutenant Commander
Lieutenant Commander

Marius,

Can you please lead me to the new version released by Cisco? Would be great help!

Best,

JJ

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

I have been away a bit, sorry for the late reply!

Cisco shares this script with their customers, so you would have to aquire it through Cisco, though that tok just a few hours by sending them an email.

The new script (which is in python) and much more simplified to setup, is just to place it on your connector, copy the eStreamer certificate and username/password, fill in that quick config file they have, and the python script then get's all eStreamer logs, then forwards it in CEF format to your connector, no need for database access or any old perl libaries to handle anymore.

I have asked MF to update their documentation with this, so hopefully this will be reflected in their documentation as well sometime in the future.

This works on any eStreamer type logs, like Sourcefire, Firepower etc, and it is handy if you have other products in their NGIPS product line like AMP, as you can just connect your firepower to these other services, and instantly get AV log's etc into your SIEM as well.

@jjoshi Check with your Cisco contact if they can send you a copy of their "eNcore.py eStreamer client", as an example, here is the one they have for splunk which is publicly available, though i could not find the normal CLI client which is what we want, if you login with your credentials you might see more than i can see: https://community.cisco.com/t5/custom/page/page-id/search?filter=location:technology-support&q=enCore&mode=

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.