This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
ittyiypeabraham
Commander Commander
Commander
‎2014-06-23 19:22
513 views

FireEye eMPS content missing

Hello experts,

We have FireEye eMPS 7.10 device sending syslog to our Arcsight connector appliance which is 6.4.1 versiion which has syslog smart connectors running version 7.0.1.6963. Most of the fields of FireEye are parsed and can be seen in the logs. But the field "duser" is not present in the logs. This is a important field as it shows the SMTP receipient ot destination user name in case of FireEye events. I have checked on the raw logs and can see that the field was present in the device logs, but the same is not reflected in Arcsight in the duser/destination user name field. This is holding us up in creating some rules, as its important to know the receipent of the alert. Please let me know what shall I do to resolve this?

Your help is very much appreciated.

Thanks

Ittyiype Abraham

Labels (3)
Labels
0 Likes
Reply
Report Inappropriate Content
2 Replies
kreed7
Absent Member.
Absent Member.
‎2014-06-24 22:25

If I remember correctly, FireEye is sending CEF events to the smartconnector. If the field is correctly present in the raw syslog(and I think duser is correct), then possible there is a flaw in the CEF string or the smartconnector could be processing the fireeye log with the incorrect parser.

For the smartconnector, take a peak at syslog.properties in $smartconnector_home/current/user/agent folder. For your FireEye eMPS you should see (hostname or ip)\:cef_syslog .

If it says anything else after the : then if is being parsed with the incorrect parser. It might be possible to edit the syslog.properties file to tell the connector which processor to use or if it is purpose built for CEF, you could limit the subagents that are used then restart the smartconnector either way.

0 Likes
Reply
Report Inappropriate Content
ittyiypeabraham
Commander Commander
Commander
‎2014-06-28 17:04

Hi Kreed,

Thanks for your input, after our investigation it was found the FireEye product doesn't send the duser field. We also contacted the FireEye vendor and they also have confirmed the same. They say by the next release i.e FireEye 7.1.1 this issue will be resolved.

Thanks

Ittyiype Abraham

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.