This TA has field extractions, inputs, index time props. However it is missing the CIM related eventtypes and tags. These are in the dashboard app. However, it would be nicer to just move those into this TA, then we dont have to install the dashboard app to get it to work with ES or manually copy over the tags and eventtypes.
Additionally, the fw_actions lookup in this TA is missing mappings of "Blocked with reset" and "Trusted", such that the action field does not function fully for the estreamer flow data.
Finally it mentions the TA doesn't work with Windows. However, the TA works fine with Windows, it is only the inputs scripts that do not work with Windows, which are disabled by default. So I might install this TA on say a heavy Nix forwarder and configure it to pull the data in. Then then install on the windows or nix SH for CIM compliance and ES integration.
Thanks!
↧