Solved: FireEye App Not Getting Data

phainlen · ‎10-24-2012

I have installed the FireEye App for Splunk on a Deployment Server in a distributed environment but cannot get any data to come in through my universal forwarder. The FireEye CMS is configured to send notifications to the URL recommended in the FireEye App 2.0 post. Thinking that it might be DNS resolution related, I changed the hostname in the URL to the IP address for the FireEye URL. https://{IPAddress}:8089/services/receivers/simple?source=FE_Test&sourcetype=fe_xml&index=fe. When I look at the network packets, the FireEye CMS isn't even attempting to communicate with the Universal Forwarder. There is no firewall between the FireEye CMS and the universal forwarder. Is there something that's missing in the FireEye CMS config possibly?

phainlen · ‎11-05-2012

I figured it out. Two things were not correct in my configuration. 1. My notification URL didn't save the entire URL; it had truncated the URL after the source. So check that the URL contains the sourcetype and index values. You may actually have to apply it a few times to get it to work. 2. I created a separate local Splunk admin account named fireeye for use in the MPS notification authentication fields. I changed this back to the Splunk default local "admin" account. After these two modifications, alerts were able to be sent to the Splunk FireEye app.

View solution in original post

rleviseur · ‎03-07-2013

I am having issues with this app as well. What I did:
-Install Fireeye App in Splunk
-Configure HTTP notifications per the Fireeye App instructions
-Verified via tcpdump that the Fireeye appliance is sending the HTTP notifications and that the Splunk server is receiving the traffic

However, there is no data showing up in Splunk itself. A search of index="fe" shows 0 results. And the "index activity overview" page shows that indexes fe & fireeye both have a count of 0.

It looks like the splunkd_access.log shows the post request from the Fireeye appliance with a 401 code. But I have verified multiple times that it is configured with the splunk admin account and password.

Any ideas why this is not receiving the data or how to troubleshoot further?

adrianathome · ‎03-07-2013

Yes. If you look at the fireeye appliance webpage source code you can see that the form has a limit of 16 characters for password.

rleviseur · ‎03-07-2013

Figured it out. Seems Fireeye has an issue with accepting passwords. We had issues the other day trying to change the local admin password on the fireeye appliance and it not working.

Seems to be the same thing here. I changed the splunk admin password to a shorter password, updated the http notification settings on fireeye, tested, and now i'm getting 200 responses. Looking good!

rleviseur · ‎03-07-2013

I removed the index parameter and still get the same 401 code in the splunkd_access.log and no events indexed. Manually going to the link in a browser gives me:

empty body

I'm running latest version of splunk, fireeye app, and fireeye code on the appliance.

raziasaduddin · ‎03-07-2013

Mine (Splunk 5.0.1) only worked via the simple receiver when I left out the "index=" parameter. Worked fine after that with just source and sourcetype.

Try manually navigating to that REST endpoint and see what you get. Make sure you have HTTPS checked. I think that is required for the REST API.

phainlen · ‎11-05-2012

I figured it out. Two things were not correct in my configuration. 1. My notification URL didn't save the entire URL; it had truncated the URL after the source. So check that the URL contains the sourcetype and index values. You may actually have to apply it a few times to get it to work. 2. I created a separate local Splunk admin account named fireeye for use in the MPS notification authentication fields. I changed this back to the Splunk default local "admin" account. After these two modifications, alerts were able to be sent to the Splunk FireEye app.

hcpr · ‎04-24-2014

Did you ever get any of these questions resolved?
I'm hitting the very same problems.

raziasaduddin · ‎02-07-2013

Questions:

1) Does it have to run under the "admin" account?

2) Does it have to run under an account in the admin role?

3) How do we send these to a dedicated universal forwarder? Do we need anything in inputs.conf or server.conf?

4) Can the forwarder use an account created on a search head or must they be linked?

agodoy · ‎11-06-2012

I was able to avoid using the admin account. The issue I was having was that the password for the "fireeye" account was > 16 characters. The FireEye http form has a maxlength=16 on the password field. Once I adjusted accordingly I was able to log in with a specific account.

sz9009 · ‎10-25-2012

The FireEye CMS is the centralized platform for data and policy management, but it does not send the events to Splunk. Each individual MPS performs that activity. Check for activity from each FE appliance.

phainlen · ‎10-30-2012

We have logged directly into one of our MPS's and done a test fire to the forwarder URL as noted in the FireEye setup instructions and still nothing. We can receive the xml over the wire to a syslog receiver, but it causes the syslog app to crash I'm guessing because it is in the incorrect format (xml). Thoughts on why the FireEye MPS will send over UDP 514 and not 443? I did a WinDump on the Splunk server when we fired the test xml over HTTP and it showed an error that UDP 514 was not reachable. Why is the FireEye trying to communicate to 514 when we clearly sent the test fire over 443?

FireEye App Not Getting Data

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms