Cisco Bug: CSCvt10365 - eNCore eStreamer client displaying rec_type=511 messages with disposition=N/A
Mar 18, 2020
- Cisco Firepower Management Center
Known Affected Releases
Symptom: When integrated with the Cisco FMC, the eNCore eStreamer client is displaying rec_type=511 messages with invalid disposition values like: disposition=N/A Example: rec_type=511 sha256=5d13f9907ac381d19f0a7552fd6d9fc07c9bd42c0f9ce017fff75587e1890375 name=Clean rec_type_desc="File Event SHA Hash" user_defined=0 disposition=N/A rec_type_simple="FILELOG SHA" rec_type=511 sha256=ed4624bf4bfbeb19ccc102e22245a50fb1f31121b765052c70b4439ba5dcf736 name=Unknown rec_type_desc="File Event SHA Hash" user_defined=0 disposition=N/A rec_type_simple="FILELOG SHA" We confirmed that eStreamer is sending disposition #2, which should be mapped to Unknown, but appears in Splunk as N/A. From the eStreamer Integration Guide: The malware status of the file. Possible values include: • 1 — CLEAN The file is clean and does not contain malware. • 2 — UNKNOWN It is unknown whether the file contains malware. • 3 — MALWARE The file contains malware. • 4 — UNAVAILABLE The software was unable to send a request to the AMP cloud for a disposition, or the AMP cloud services did not respond to the request. • 5 — CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user Conditions: FMC integration with the eStreamer eNcore as eStreamer client, this issue is confirmed happening in eStreamer eNcore Add-on for Splunk v3.5 and 3.6.6.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases