cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
phainlen
Explorer
Member since: ‎05-16-2012
‎11-18-2020
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 1
Member Since ‎05-16-2012
Activity Feed
View All

Re: FireEye App Not Getting Data

by in All Apps and Add-ons
‎11-05-2012 10:42 AM
1 Karma
‎11-05-2012 10:42 AM
1 Karma
I figured it out. Two things were not correct in my configuration. 1. My notification URL didn't save the entire URL; it had truncated the URL after the source. So check that the URL contains the sourcetype and index values. You may actually have to apply it a few times to get it to work. 2. I created a separate local Splunk admin account named fireeye for use in the MPS notification authentication fields. I changed this back to the Splunk default local "admin" account. After these two modifications, alerts were able to be sent to the Splunk FireEye app. ... View more

Re: FireEye App Not Getting Data

by in All Apps and Add-ons
‎10-30-2012 09:30 AM
‎10-30-2012 09:30 AM
We have logged directly into one of our MPS's and done a test fire to the forwarder URL as noted in the FireEye setup instructions and still nothing. We can receive the xml over the wire to a syslog receiver, but it causes the syslog app to crash I'm guessing because it is in the incorrect format (xml). Thoughts on why the FireEye MPS will send over UDP 514 and not 443? I did a WinDump on the Splunk server when we fired the test xml over HTTP and it showed an error that UDP 514 was not reachable. Why is the FireEye trying to communicate to 514 when we clearly sent the test fire over 443? ... View more

FireEye App Not Getting Data

by in All Apps and Add-ons
‎10-24-2012 10:44 AM
‎10-24-2012 10:44 AM
I have installed the FireEye App for Splunk on a Deployment Server in a distributed environment but cannot get any data to come in through my universal forwarder. The FireEye CMS is configured to send notifications to the URL recommended in the FireEye App 2.0 post. Thinking that it might be DNS resolution related, I changed the hostname in the URL to the IP address for the FireEye URL. https://{IPAddress}:8089/services/receivers/simple?source=FE_Test&sourcetype=fe_xml&index=fe. When I look at the network packets, the FireEye CMS isn't even attempting to communicate with the Universal Forwarder. There is no firewall between the FireEye CMS and the universal forwarder. Is there something that's missing in the FireEye CMS config possibly? ... View more

Recommended Number of Forwarders

by in Deployment Architecture
‎07-13-2012 09:25 AM
‎07-13-2012 09:25 AM
Would it be wise to set up redundant forwarders or is one sufficient? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-18-2020 11:41 AM
Karma from
View All