search

CiscoSecurity / fp-05-firepower-cli

Public Repo for an eStreamer CLI project
10 stars 8 forks source link

Log data inefficient #16

Open s33butler opened 1 year ago

s33butler commented 1 year ago

Is it possible to not pad the logs or remove the padding before ingest or writing to data? It makes the logs 3 times the size of normal firewall logs cause a very large increase to the license requirements on SIEMs such as Splunk.

There is really no need for 9 x "N/A"'s or 9 x "unknown" and definitely no need for 310 x "0 Zeros"

rec_type=71 event_sec=1680866509 ssl_url_category=0 ip_layer=0 netflow_src=00000000-0000-0000-0000-000000000000 ssl_flow_flags=0 dest_pkts=50 ssl_version=Unknown rec_type_simple=RNA src_ip=127.0.0.1 iface_ingress=Inside.3 connection_id=12345 http__response=0 ssl_ticket_id=0000000000000000000000000000000000000000 dest_ipcountry=unknown sec_intel_event=No ssl_server_name="" has_ipv6=1 tcp_flags=0 src_autonomous_system=0 url_reputation=Unknown user_agent="" src_port=54321 fw_rule_reason=N/A file_count=0 ssl_session_id=0000000000000000000000000000000000000000000000000000000000000000 mac_address=00:00:00:00:00:00 dns_resp_id=0 instance_id=2 ssl_expected_action=Unknown event_desc="Flow Statistics" snmp_out=0 dns_rec_id=0 last_pkt_sec=1680866508 ssl_policy_id=00000000000000000000000000000000 ssl_actual_action=Unknown sensor=Cisco-FTD web_app=Unknown url_category=Unknown event_type=1003 dest_autonomous_system=0 ips_count=0 app_proto=TCP event_subtype=1 dns_query="" sec_zone_ingress=Inside fw_policy=00000000-0000-0000-0000-000063ddd620 fw_rule_action=Block dest_tos=0 ssl_cert_fingerprint=0000000000000000000000000000000000000000 referenced_host="" ip_proto=UDP client_app="TCP client" src_mask=0 sec_intel_ip=N/A src_tos=0 vlan_id=0 netbios_domain="" dest_bytes=8665 security_context=00000000000000000000000000000000 user="No Authentication Required" ssl_flow_status=Unknown ssl_server_cert_status="Not Checked" dest_ip=127.0.0.2 ssl_rule_id=0 ssl_flow_messages=0 sec_zone_egress=Zone1 rec_type_desc="Connection Statistics" monitor_rule_7=N/A monitor_rule_6=N/A monitor_rule_5=N/A monitor_rule_4=N/A monitor_rule_3=N/A client_version="" monitor_rule_1=N/A first_pkt_sec=1680866386 monitor_rule_8=0 dest_port=213 url="" sinkhole_uuid=00000000-0000-0000-0000-000000000000 iface_egress=iface1 http_referrer="" num_ioc=0 ssl_flow_error=0 dns_ttl=0 src_ip_country=unknown event_usec=0 fw_rule=268434666 src_bytes=5192 ssl_cipher_suite=TLS_NULL_WITH_NULL_NULL dest_mask=0 src_pkts=50 snmp_in=0 monitor_rule_2=N/A**

Thank you for your time and assistance