IBM Support

QRadar: Legacy Cisco Firepower Management Center event type "Connection Statistic"

Troubleshooting


Problem

In older versions of Cisco Firepower Management Center, RNA Flow Statistics is the legacy record name from eStreamer 4.x. This article explains how to identify them.


Note:  As of eStreamer 5.x, support for RNA Flow Statistics is discontinued. If you are using a version of eStreamer that is not listed in the QRadar DSM guide, you might choose to upgrade your eStreamer protocol to one that is supported.

Cause

How is event type "Connection Statistic" mapped to firewall allow, and deny data in the log activity tab.

Resolving The Problem

In the example shown, the second event in the payload has record type as RNA_FLOW_STATISTICS. This record type is also known as "Connection Statistics" providing connection events for RNA in log activity for Cisco Firepower Management Center logs.
"DeviceType=Estreamer   DeviceAddress=x.x.x.x       CurrentTime=1567644018456       recordType=RNA_FLOW_STATISTICS  recordLength=700        timestamp=05 Sep 2019 01:40:15  netmapDomainRef=0       detectionEngineRef=7    ipAddress=0.0.0.0       MACAddress=00:00:00:00:00:00    hasIPv6=true    eventSecond=0   eventMicroSecond=0      eventType=FLOW_STATISTICS       fileNumber=6E59705D     filePosition=94020000   ipV6Address=0:0:0:0:0:0:0:0     flowStatistics.initiatorIPAddress=x.x.x.x flowStatistics.responderIPAddress=x.x.x.x     flowStatistics.originalClientIPAddress=0:0:0:0:0:0:0:0  flowStatistics.policyRevision=0000000000000000000000005D69CA75  flowStatistics.ruleId=268435469 flowStatistics.tunnelRuleId=0   flowStatistics.ruleAction=2     flowStatistics.ruleReason=64    flowStatistics.initiatorPort=52016      flowStatistics.responderPort=443        flowStatistics.tcpFlags=0       flowStatistics.protocol=6       flowStatistics.netFlowIPAddress=0:0:0:0:0:0:0:0 flowStatistics.instanceId=1     flowStatistics.connectionCounter=46175  flowStatistics.firstPacketTimestamp=1567644011
RNA Flow Statistics is the legacy record name of eStreamer 4.x. These events contain information about the action selected for the rule that triggered the connection event. These events are mapped based on "rule action" for their value.
Their values and description are as follows:
1 Pending
2 Allow
3 Trust
4 Deny
5 Reset
6 Audit
7 HTTP Bypass
8 Int Reset
9 Rate Limit
10 Agent
11 Captive
12 No Auth
13 Invalid
14 Fast Path
22 NX Domain
23 Sinkhole
 
Based on rule action, the category and action is mapped in QRadar. In this example the payload, "flowStatistics.ruleAction=2" is mapped to an Allow event record.
For more information on eStreamer protocol, refer to the QRadar DSM Guide.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Log Source;Parsing","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 January 2021

UID

ibm11102209