I am in the process of trying to create a reporting alert template to forward alerts to syslog/Splunk. I have hit somewhat of a stumbling block regarding the destination port meta fields.
The following is an example of the template which I am creating.
CEF:0|${deviceVendor}|${deviceProduct}|${deviceVersion}|${name}|${severity}| externalId=${meta.sessionid} service=${meta.service} proto=${meta.ip.proto} act=${meta.action} src=${meta.ip.src} spt=${meta.tcp.srcport} dhost=${meta.alias.host} dst=${meta.ip.dst} dpt=${meta.ip.dstport} duser=${meta.user.dst} suser=${meta.user.src} cs1=${meta.did} requestClientApplication=${meta.client} cs1Label=DecoderName request=${meta.referer} cs5Label=QueryString cs5=${meta.query} cs6Label=UDPDestinationPort cs6=${meta.udp.dstport} fsize=${meta.size} fileType=${meta.extension} fname=${meta.filename} filePath=${meta.directory}
In my infrastructure, the ip.dstport meta is not populated, but rather the udp.dstport and tcp.dstport. I am intending to map the dpt CEF field to the Splunk field dest_port. The way I understand this, I need to have either dpt=${meta.tcp.dstport} OR dpt=${udp.dstport} depending on whether the session is TCP or UDP. That said, is there a way that this can be incorporated into a single template?
