Trying to configure the FireEye appliances to send Syslog data, but wanted to confirm the documentation. Based on the details for the app (https://splunkbase.splunk.com/app/1845/#/details) it notes to send syslog from the LMS, not the CM appliances. However, we're running into issues as it seems the individual appliances the syslog messages appear to be all management related and not following the CEF format. The central manager will syslog alerts in CEF format and contains the data we're looking for (at least when sending test alerts).
I don't have direct access to FireEye, but it's my understanding all alerts from the appliances will collect at the central manager.
... View more