Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- FireEye XML to Universal Forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to set up FireEye to send events to our dedicated universal forwarder in XML Extended over port 8089 . I took the guts of the FireEye app, and set up the FireEye side according to the instructions and am still not getting events.
https://
Questions:
1) Does it have to run under the "admin" account?
2) Does it have to run under an account in the admin role?
3) How do we send these to a dedicated universal forwarder? Do we need anything in inputs.conf or server.conf?
4) Can the forwarder use an account created on a search head or must they be linked?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) based on my testing, it does have to run under the admin account or a user in the admin role. based on your question, i created another splunk question to get help: http://splunk-base.splunk.com/answers/75013/minimum-permissions-required-for-using-http-simple-recei...
2) seems to be the case. although, to be clear, this is not necessarily tied to the FireEye app but to anything that attempts to use the http simple receiver, REST endpoint.
3) you don't need anything in inputs.conf. the http post specifies the input and the neccesary parameters.
4) in your scenario, fireeye is sending the data to the forwarder. so the user/passwd you use in the fireeye config must have the appropriate permissions in the forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out this pdf from FE. Describes non-admin user and using https to push data in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) based on my testing, it does have to run under the admin account or a user in the admin role. based on your question, i created another splunk question to get help: http://splunk-base.splunk.com/answers/75013/minimum-permissions-required-for-using-http-simple-recei...
2) seems to be the case. although, to be clear, this is not necessarily tied to the FireEye app but to anything that attempts to use the http simple receiver, REST endpoint.
3) you don't need anything in inputs.conf. the http post specifies the input and the neccesary parameters.
4) in your scenario, fireeye is sending the data to the forwarder. so the user/passwd you use in the fireeye config must have the appropriate permissions in the forwarder.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
