- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why is the FireEye App for Splunk Enterprise v3 no...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is the FireEye App for Splunk Enterprise v3 not properly parsing data?
Good day,
We have already set up the app, but the data coming from FirEye is not properly parsed or fields are missing. To have an idea on our setup, please see below.
FireEye appliance configured rsyslog sends to a heavy forwarder that forwarders to our indexers. In the heavy forwarder, syslog files are being dumped in a file using syslog-ng. From there, we define the directory path as data inputs which are then later being forwarded as the file updates/logs.
We have installed the FireEye App on the Search Head, but no TA for any of the indexers.
Any thoughts on what items we are still missing? Parsing the app alone will be tedious work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jmallorquin is most likely correct in that additional data is being added to the beginning of each event packet which is preventing the transforms from parsing the data correctly. Thus the sourcetype and eventtype is probably not being correctly populated which prevents the dashboards from displaying the data correctly (if at all).
Your setup is a bit unique in that you are not merely sending the data directly via HTTPS or syslog. Due to the additional complexity (HF -> Indexer -> read from file) the events are being munged somewhere. Since this scenario is specific to your instance, I would recommend contacting me via the Help -> Send Feedback mechanism within the app itself.
Then we will post a generic solution here for the rest of the folks after we figure out a graceful solution.
Just as a reminder, for more vanilla installs. Please use our configuration guide (PDF) found at the top of the documentation section here:
https://splunkbase.splunk.com/app/1845/#/documentation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @TonyLeeVT thanks for your answer. I will be in touch with you using the Help function.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Probably your syslog service in the heavy forwarding is adding info to the events. Have you try to send directly to hf by tcp port?
Hope i help you
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
