All Apps and Add-ons

FireEye App for Splunk Enterprise v3: How to configure FireEye appliances to send syslog data to Splunk?

dwehrydla
New Member

Trying to configure the FireEye appliances to send Syslog data, but wanted to confirm the documentation. Based on the details for the app (https://splunkbase.splunk.com/app/1845/#/details) it notes to send syslog from the LMS, not the CM appliances. However, we're running into issues as it seems the individual appliances the syslog messages appear to be all management related and not following the CEF format. The central manager will syslog alerts in CEF format and contains the data we're looking for (at least when sending test alerts).

I don't have direct access to FireEye, but it's my understanding all alerts from the appliances will collect at the central manager.

0 Karma
1 Solution

TonyLeeVT
Builder

Thanks for reaching out. Please check out Figure 14 located on Page 15 of the configuration guide:

https://www.fireeye.com/content/dam/fireeye-www/global/en/partners/pdfs/config-guide-fireeye-app-for...

This has a screenshot of how to configure the LMS appliances to send syslog CEF data.

Instructions are also above Figure 14:

CEF over SYSLOG (TCP)
The first option we will show is how to configure the FireEye device to send CEF over SYSLOG. We understand that
sending data via HTTPS may not work for everyone.
Complete the following steps to send data to Splunk using CEF over SYSLOG (TCP):
■ Log into the FireEye appliance with an administrator account
■ Click Settings
■ Click Notifications
■ Click rsyslog
■ Check the “Event type” check box
■ Next to the “Add Rsyslog Server” button, type “Splunk_CEF_SYSLOG”.
■ Then click the “Add Rsyslog Server” button.
■ Enter the IP address of the Splunk server in the “IP Address” field.
Make sure rsyslog settings are:
■ Format: CEF
■ Delivery: Per event
■ Send as: Alert
■ Change the protocol dropdown to TCP (or use the special max chunk-size for UDP to 4096)
Remember to click the “Update” button when finished.

View solution in original post

0 Karma

TonyLeeVT
Builder

Thanks for reaching out. Please check out Figure 14 located on Page 15 of the configuration guide:

https://www.fireeye.com/content/dam/fireeye-www/global/en/partners/pdfs/config-guide-fireeye-app-for...

This has a screenshot of how to configure the LMS appliances to send syslog CEF data.

Instructions are also above Figure 14:

CEF over SYSLOG (TCP)
The first option we will show is how to configure the FireEye device to send CEF over SYSLOG. We understand that
sending data via HTTPS may not work for everyone.
Complete the following steps to send data to Splunk using CEF over SYSLOG (TCP):
■ Log into the FireEye appliance with an administrator account
■ Click Settings
■ Click Notifications
■ Click rsyslog
■ Check the “Event type” check box
■ Next to the “Add Rsyslog Server” button, type “Splunk_CEF_SYSLOG”.
■ Then click the “Add Rsyslog Server” button.
■ Enter the IP address of the Splunk server in the “IP Address” field.
Make sure rsyslog settings are:
■ Format: CEF
■ Delivery: Per event
■ Send as: Alert
■ Change the protocol dropdown to TCP (or use the special max chunk-size for UDP to 4096)
Remember to click the “Update” button when finished.

View solution in original post

0 Karma

sassens1
Path Finder

Hello,

I'd like to send the fireeye logs to another splunk instance and for this purpose I've configured my output.conf with sendCookedData = false. The logs are sent in TCP but I'm receiving them split in 3/4 parts.
for example:

"product" : "Email WPS"
"applicance": "00:C4:7A:XX"
"appliance-id": "xxxx.mycompany.com"

Any idea why it is displayed in multiple parts?

If I change to cooked data I'm receiving logs as this:

--splunk-cooked-mode-v3--x00x00x00x00x00x00x00x00x00x00x00 ../..
0 Karma

TonyLeeVT
Builder

Good day, this does not seem related to the original question asked--thus you may want to open a new question for proper tracking.

This also seems like more of a Splunk question and not so much of a FireEye App specific question. You may want to contact your Splunk rep as well to see if they know the answer.

I can only guess that the data is being split into multiple parts due to improper line breaking? Did you try changing the format? It appears you are using JSON in the same above. Can you try to switch to TCP syslog CEF and see if you still have the same issue?

Feel free to email via Help -> Send Feedback from within the app and we can try to troubleshoot a bit as well. Hope that helps.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!