I have installed the FireEye App for Splunk on a Deployment Server in a distributed environment but cannot get any data to come in through my universal forwarder. The FireEye CMS is configured to send notifications to the URL recommended in the FireEye App 2.0 post. Thinking that it might be DNS resolution related, I changed the hostname in the URL to the IP address for the FireEye URL. https://{IPAddress}:8089/services/receivers/simple?source=FE_Test&sourcetype=fe_xml&index=fe. When I look at the network packets, the FireEye CMS isn't even attempting to communicate with the Universal Forwarder. There is no firewall between the FireEye CMS and the universal forwarder. Is there something that's missing in the FireEye CMS config possibly?
... View more