Solved: Is it possible to use only one listener for the Tr...

elvintheo · ‎08-22-2017

I know 'Trend Micro Deep Security for Splunk' app by default creates 6 listeners each listening at unique UDP ports. And, this is to classify/separate events based on the source.
Is there a way we can only use one UDP port to listen to events. So, can we use one sourcetype 'deepsecurity' instead of multiple sub sourcetypes like: deepsecurity-antimalware, deepsecurity-web_reputation etc?

jkat54 · ‎08-22-2017

Yes you can. I do it using a syslog server between Splunk and TMDS.

We send syslog from TMDS in cef format to a syslog server and ingest the data into Splunk as sourcetype = deepsecurity:cef

So theoretically you could send the CEF data directly to Splunk and listen on one port with sourcetype=deepsecurity:cef

View solution in original post

jkat54 · ‎08-22-2017

Yes you can. I do it using a syslog server between Splunk and TMDS.

We send syslog from TMDS in cef format to a syslog server and ingest the data into Splunk as sourcetype = deepsecurity:cef

So theoretically you could send the CEF data directly to Splunk and listen on one port with sourcetype=deepsecurity:cef

salonyag · ‎08-26-2017

Does the trendmicro app for Splunk work with sourcetype = deepsecurity:cef

jkat54 · ‎08-26-2017

Not 100%. Maybe it's just sourcetype=deepsecurity

jkat54 · ‎08-26-2017

Check out what's in the TA in props.conf

klaxdal · ‎08-23-2017

Same here

elvintheo · ‎08-25-2017

This sounds very feasible. Thanks for your answer.

Is it possible to use only one listener for the Trend Micro Deep Security for Splunk app (by limiting sourcetypes)?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life