All Apps and Add-ons

Why is the FireEye App for Splunk Enterprise v3 not properly parsing data?

crt89
Communicator

Good day,

We have already set up the app, but the data coming from FirEye is not properly parsed or fields are missing. To have an idea on our setup, please see below.

FireEye appliance configured rsyslog sends to a heavy forwarder that forwarders to our indexers. In the heavy forwarder, syslog files are being dumped in a file using syslog-ng. From there, we define the directory path as data inputs which are then later being forwarded as the file updates/logs.

We have installed the FireEye App on the Search Head, but no TA for any of the indexers.

Any thoughts on what items we are still missing? Parsing the app alone will be tedious work.

0 Karma

TonyLeeVT
Builder

jmallorquin is most likely correct in that additional data is being added to the beginning of each event packet which is preventing the transforms from parsing the data correctly. Thus the sourcetype and eventtype is probably not being correctly populated which prevents the dashboards from displaying the data correctly (if at all).

Your setup is a bit unique in that you are not merely sending the data directly via HTTPS or syslog. Due to the additional complexity (HF -> Indexer -> read from file) the events are being munged somewhere. Since this scenario is specific to your instance, I would recommend contacting me via the Help -> Send Feedback mechanism within the app itself.

Then we will post a generic solution here for the rest of the folks after we figure out a graceful solution.

Just as a reminder, for more vanilla installs. Please use our configuration guide (PDF) found at the top of the documentation section here:
https://splunkbase.splunk.com/app/1845/#/documentation

0 Karma

crt89
Communicator

Hi @TonyLeeVT thanks for your answer. I will be in touch with you using the Help function.

0 Karma

jmallorquin
Builder

Hi,

Probably your syslog service in the heavy forwarding is adding info to the events. Have you try to send directly to hf by tcp port?

Hope i help you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...