Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  User information shows as Multiple in Splunk, if Aggregation happened in Imperva

    Posted 02-02-2021 15:46
    We are not getting user details for Policy events in Splunk. If that Policy events are aggregated as Distributed in Imperva, we can see duser= "Multiple"


    Does anyone know how to get/capture user info related to that event if aggerated?

    Thanks
    #DatabaseActivityMonitoring


  • 2.  RE: User information shows as Multiple in Splunk, if Aggregation happened in Imperva

    Posted 02-05-2021 04:57
    Hi Vishal,

    I haven't tried it but I guess switching to "send syslog from Gateways" may help in this case.
    Policy events are aggregated at MX into alerts. If syslog is sent from Gateways directly, it should happen before the aggregation.

    - Please be reminded that you need to allow the Gateways' management IP to send syslog traffic to your Splunk server if there is firewall between them.


    Hope it helps. Thanks.

    ------------------------------
    Louis Tsoi
    Associate Consultant
    Cyberforce Limited
    ------------------------------



  • 3.  RE: User information shows as Multiple in Splunk, if Aggregation happened in Imperva

    Posted 02-06-2021 07:09
    Thanks Louis. I will try this and update you.


    Thanks
    Vishal