Troubleshooting
Problem
In older versions of Cisco Firepower Management Center, RNA Flow Statistics is the legacy record name from eStreamer 4.x. This article explains how to identify them.
Note: As of eStreamer 5.x, support for RNA Flow Statistics is discontinued. If you are using a version of eStreamer that is not listed in the QRadar DSM guide, you might choose to upgrade your eStreamer protocol to one that is supported.
Cause
How is event type
"Connection Statistic"
mapped to firewall allow, and deny data in the log activity tab.Resolving The Problem
In the example shown, the second event in the payload has record type as RNA_FLOW_STATISTICS. This record type is also known as "Connection Statistics" providing connection events for RNA in log activity for Cisco Firepower Management Center logs.
"DeviceType=Estreamer DeviceAddress=x.x.x.x CurrentTime=1567644018456 recordType=RNA_FLOW_STATISTICS recordLength=700 timestamp=05 Sep 2019 01:40:15 netmapDomainRef=0 detectionEngineRef=7 ipAddress=0.0.0.0 MACAddress=00:00:00:00:00:00 hasIPv6=true eventSecond=0 eventMicroSecond=0 eventType=FLOW_STATISTICS fileNumber=6E59705D filePosition=94020000 ipV6Address=0:0:0:0:0:0:0:0 flowStatistics.initiatorIPAddress=x.x.x.x flowStatistics.responderIPAddress=x.x.x.x flowStatistics.originalClientIPAddress=0:0:0:0:0:0:0:0 flowStatistics.policyRevision=0000000000000000000000005D69CA75 flowStatistics.ruleId=268435469 flowStatistics.tunnelRuleId=0 flowStatistics.ruleAction=2 flowStatistics.ruleReason=64 flowStatistics.initiatorPort=52016 flowStatistics.responderPort=443 flowStatistics.tcpFlags=0 flowStatistics.protocol=6 flowStatistics.netFlowIPAddress=0:0:0:0:0:0:0:0 flowStatistics.instanceId=1 flowStatistics.connectionCounter=46175 flowStatistics.firstPacketTimestamp=1567644011
RNA Flow Statistics is the legacy record name of eStreamer 4.x. These events contain information about the action selected for the rule that triggered the connection event. These events are mapped based on "rule action" for their value.
Their values and description are as follows:
1 Pending
2 Allow
3 Trust
4 Deny
5 Reset
6 Audit
7 HTTP Bypass
8 Int Reset
9 Rate Limit
10 Agent
11 Captive
12 No Auth
13 Invalid
14 Fast Path
22 NX Domain
23 Sinkhole
Based on rule action, the category and action is mapped in QRadar. In this example the payload, "flowStatistics.ruleAction=2" is mapped to an Allow event record.
For more information on eStreamer protocol, refer to the QRadar DSM Guide.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Log Source;Parsing","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
07 January 2021
UID
ibm11102209