Re: FireEye TA linebreak not working for indexing ...

xrtan · ‎05-26-2016

I have a setup running Splunk 6.4 indexing FireEye logs.

FireEye is sending logs in CEF SYSLOG format through port 514, and i have rsyslog receiving these data and writing them to flat file. Splunk will be monitoring the flat file and index them in.

However i notice that sometimes one event consist of 2 or more events. So I tried copying in 3 lines of event for testing and realise logs are not line broken. Is there something wrong with the TA? I cant get it to read line by line even with SHOULD_LINEMERGE=false

TonyLeeVT · ‎05-27-2016

First, ensure you have the following setup:
1) FireEye app only on the search head (https://splunkbase.splunk.com/app/1845/)
2) TA installed on the HF and indexers (not on the search head) (https://splunkbase.splunk.com/app/1904/)

Second, make sure the sourcetype is either syslog or fe_cef_syslog.

If the sourcetype is syslog, the props/transforms will change it to fe_cef_syslog.

Third, make sure rsyslog is not adding any additional headers to the content.
Transforms it looking for the following format for CEF syslog:
REGEX=.fenotify.:\sCEF:\d|FireEye|

If none of that solves the issue, send me a sample of your data via the Help -> Send Feedback menu in the app. Thanks.

xrtan · ‎05-29-2016

Im running a All-in-one Server, so my search head and indexer is the same. Will this be an issue?

FireEye TA linebreak not working for indexing flat-file

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life