FireEye eMPS content missing
We have FireEye eMPS 7.10 device sending syslog to our Arcsight connector appliance which is 6.4.1 versiion which has syslog smart connectors running version 184.108.40.20663. Most of the fields of FireEye are parsed and can be seen in the logs. But the field "duser" is not present in the logs. This is a important field as it shows the SMTP receipient ot destination user name in case of FireEye events. I have checked on the raw logs and can see that the field was present in the device logs, but the same is not reflected in Arcsight in the duser/destination user name field. This is holding us up in creating some rules, as its important to know the receipent of the alert. Please let me know what shall I do to resolve this?
Your help is very much appreciated.
If I remember correctly, FireEye is sending CEF events to the smartconnector. If the field is correctly present in the raw syslog(and I think duser is correct), then possible there is a flaw in the CEF string or the smartconnector could be processing the fireeye log with the incorrect parser.
For the smartconnector, take a peak at syslog.properties in $smartconnector_home/current/user/agent folder. For your FireEye eMPS you should see (hostname or ip)\:cef_syslog .
If it says anything else after the : then if is being parsed with the incorrect parser. It might be possible to edit the syslog.properties file to tell the connector which processor to use or if it is purpose built for CEF, you could limit the subagents that are used then restart the smartconnector either way.
Thanks for your input, after our investigation it was found the FireEye product doesn't send the duser field. We also contacted the FireEye vendor and they also have confirmed the same. They say by the next release i.e FireEye 7.1.1 this issue will be resolved.