-
-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem extracting data (Fields related) #8
Comments
Hi Marcelo |
You should be using LEEF. If I recall correctly you need to choose QRadar in the format to have it output LEEF. Splunk option wasn’t available when I started building these add nos and app. |
can you post a sanitised sample of you data? the only reason to have data generated with a timestamp in the future would be if you have problems with timezone or misconfigured server times since the add on is not doing anything regarding time. Check the time of you splunk server and kaspersky server. Are you using a common ntp server? |
After looking at you profile I saw you might be in GMT-3. I was thinking, if I'm correct 4h in the future would be something like your data is coming in as UTC if you are under DST. |
Have you compared the timestamp and TZ of the server where you are hosting the Kaspersky SC console with the on in the logs? The thing here is, when you index data you can either extract or assign a TZ to your data. This allows splunk to adjust it to TZ the one you have in your profile. From splunk docs:
|
I checked some logs from yesterday, when i used the "syslog" Source type on the Data Input, and the results are the same that i got using the "kaspersky:leef" Source type, so i don't think the problem is actually the TA. On the Kaspersky SC console the time is correct. The TZ on my profile is GMT -3 (Brasilia). When i used the CEF format for the logs the time wasn't showing on the log, but with the LEEF it shows. Could it be related smh? |
From what you're telling me I'm starting to believe its safe to assume that regardless the time you have in Kaspersky server, LEEF will always output UTC. If that's the case, its just a matter of adding TZ to the "kaspersky:leef" source type. Can you test adding TZ = UTC to the source type in the TA and index some data? |
have you restarted Splunk after that? |
Ok ive been looking into my data and it seams that my thesis is correct. LEEF outputs in UTC/GMT. I have 1h diference in my data because we are in DST with means GMT+1. I’m going to fix this TZ issue and release an update. |
The new version of the add on has been released in splunkbase. Please check if it solves your issue. |
Hi, i downloaded the app and started using it. I had to make some adaptations on the search of the dashboards, since in my Splunk the fields you were searching are not default extracted. The thing is, in some dashboards i managed to do fine in the extracting, but in some others i can't get trustable information. Could you please share how you did your field extraction?
The text was updated successfully, but these errors were encountered: