Imperva Cyber Community

Expand all | Collapse all

User information shows as Multiple in Splunk, if Aggregation happened in Imperva

  • 1.  User information shows as Multiple in Splunk, if Aggregation happened in Imperva

    Posted 24 days ago
    We are not getting user details for Policy events in Splunk. If that Policy events are aggregated as Distributed in Imperva, we can see duser= "Multiple"


    Does anyone know how to get/capture user info related to that event if aggerated?

    Thanks
    #DatabaseActivityMonitoring

    ------------------------------
    Vishal Navale
    concord NC
    ------------------------------


  • 2.  RE: User information shows as Multiple in Splunk, if Aggregation happened in Imperva

    Posted 22 days ago
    Hi Vishal,

    I haven't tried it but I guess switching to "send syslog from Gateways" may help in this case.
    Policy events are aggregated at MX into alerts. If syslog is sent from Gateways directly, it should happen before the aggregation.

    - Please be reminded that you need to allow the Gateways' management IP to send syslog traffic to your Splunk server if there is firewall between them.


    Hope it helps. Thanks.

    ------------------------------
    Louis Tsoi
    Associate Consultant
    Cyberforce Limited
    ------------------------------



  • 3.  RE: User information shows as Multiple in Splunk, if Aggregation happened in Imperva

    Posted 20 days ago
    Thanks Louis. I will try this and update you.


    Thanks
    Vishal

    ------------------------------
    Vishal Navale
    concord NC
    ------------------------------