I have a setup running Splunk 6.4 indexing FireEye logs.
FireEye is sending logs in CEF SYSLOG format through port 514, and i have rsyslog receiving these data and writing them to flat file. Splunk will be monitoring the flat file and index them in.
However i notice that sometimes one event consist of 2 or more events. So I tried copying in 3 lines of event for testing and realise logs are not line broken. Is there something wrong with the TA? I cant get it to read line by line even with SHOULD_LINEMERGE=false
First, ensure you have the following setup:
1) FireEye app only on the search head (https://splunkbase.splunk.com/app/1845/)
2) TA installed on the HF and indexers (not on the search head) (https://splunkbase.splunk.com/app/1904/)
Second, make sure the sourcetype is either syslog or fe_cef_syslog.
If the sourcetype is syslog, the props/transforms will change it to fe_cef_syslog.
Third, make sure rsyslog is not adding any additional headers to the content.
Transforms it looking for the following format for CEF syslog:
REGEX=.fenotify.:\sCEF:\d|FireEye|
If none of that solves the issue, send me a sample of your data via the Help -> Send Feedback menu in the app. Thanks.
Im running a All-in-one Server, so my search head and indexer is the same. Will this be an issue?