Re: FireEye and Syslog Server

richard_griffit · ‎12-04-2013

Is it possible to use the FireEye Splunk app with the following configuration:

FireEye sending data to a syslog server in XML format.
Universal forwarder on syslog server monitors file and sends data to the indexers.

In the file on the syslog server, the tag has a space between alert and ID. When using the FireEye Splunk app the queries come up empty.

From what I can tell, the space is causing the search to come up empty. Is there a way to handle the space in the incoming log file?

I am aware of the following from the documentation. "You will have to modify your FireyEye's logging configuration to send the logs to Splunk in xml via http."

regriffith · ‎03-15-2017

In the end, I setup a heavy forwarder as middle man for FireEye. Seems like I used JSON format in the FireEye configuration. I no longer work at that company and I don't remember all the things I did.

jat75 · ‎02-03-2017

Every figure out if a syslog server can sit between the fireeye and splunk? I am getting data form the fireeye to splunk currently with SYSLOG CSV UDP but the app and TA dont seem to be doing anything. Thanks!

jat75 · ‎02-03-2017

Every figure out if a syslog server can stand between a fireeye and splunk? Trying to set this up and i am getting data to splunk from the fireeye (SYSLOG CSV UDP) but the app and TA don't seem to be doing anything. Thanks!

FireEye and Syslog Server

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases