All Apps and Add-ons

FireEye App for Splunk Enterprise v3: Why is the app not displaying any data in the dashboard and event view?

tung62
New Member

I have installed FireEye App for Splunk Enterprise v3 in Splunk 6.x. FireEye EX 7.x sends XML syslog to Splunk.

I set the sourcetype as "fireeye" in Splunk, I can successfully search the fireeye log by sourcetype=fireeye". However the FIreEye App 3.0 does not show any data in dashboard and in event view.

the log format received as attachedalt text:

0 Karma

TonyLeeVT
Builder

Please see the valid sourcetypes section in the Details page below. For this format, you need to use fe_xml_syslog. It may be best to start simple (ex: fe_cef_syslog) though and then go to a more robust format.

https://splunkbase.splunk.com/app/1845/#/details

Pasted below for your convenience:

Sourcetypes
Supported protocols and corresponding sourcetypes are:

Protocol/format Sourcetype
1) JSON over HTTPS        fe_json
2) XML over HTTPS          fe_xml
3) CEF over SYSLOG - TCP    fe_cef_syslog
4) CEF over SYSLOG - UDP    fe_cef_syslog
5) XML over SYSLOG - TCP    fe_xml_syslog
6) XML over SYSLOG - UDP    fe_xml_syslog
7) JSON over SYSLOG - TCP   fe_json_syslog
8) JSON over SYSLOG - UDP   fe_json_syslog
9) CSV over SYSLOG - TCP    fe_csv_syslog
10) CSV over SYSLOG - UDP   fe_csv_syslog
HX Endpoint Appliance   hx_cef_syslog
Threat Analytics Platform (TAP) fe_tap_json
Email Threat Prevention (ETP)   fe_etp
0 Karma

tung62
New Member

And I would like to highlight to you that the statistic (e.g. Total Malicious Email, Attachement) are not correct. This is because fireeye sends two or more events for single email if the email attachment is zipped. It can't simply count the user or hash. The logic may be complex.

0 Karma

tung62
New Member

I modify your extraction "fe_xml_syslog : EXTRACT-mail_suser_duser_for_fireeye". The domain field is removed from your extraction, then it works. the raw log does not have domain field.

0 Karma

tung62
New Member

after change sourcetype=fe_xml_syslog, some dashboards (e.g. serverity, malware)
can shows content. However, some dashboards (e.g. senders, recipients) show no content. The fireeye app cannot parse the xml log to extracts some fields.alt text

0 Karma

TonyLeeVT
Builder

So you are parsing EX events. We would need to set up a VTC to see why it is not parsing. Feel free to send an email via the app (Help -> Send Feedback) so we can set one up.

Alternatively, did you try switching to sourcetype fe_cef_syslog and changing the FEYE appliances to use syslog and CEF to see if that meets your needs?

0 Karma

tung62
New Member

Do you mean that I need manually set the source type as "fe_xml_syslog" in the Splunk's Data Inputs setting page?

0 Karma

TonyLeeVT
Builder

Instead of setting it to fireeye as you mentioned before. Set it to fe_xml_syslog, then let us know if it works.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...