Deploying eNcore eStreamer 3.6.1 I have found that the field alias for intrusion signatures is not being applied in my searches:
./splunk cmd btool props list cisco:estreamer:data | grep ALIAS
...
FIELDALIAS-estreamer_intrusion_signature = msg AS signature
FIELDALIAS-estreamer_severity = priority AS severity
FIELDALIAS-estreamer_src = src_ip AS src
Attached is a screenshot for one event, you can see that src and severity are there, but there is no signature. Without the fieldalias, anything in the Intrusion Data Model has unknown for the signature of the attack in it.
![alt text][1]
[1]: /storage/temp/274896-screen-shot-2019-10-11-at-24403-pm.png
↧