Is it possible to use the FireEye Splunk app with the following configuration:
FireEye sending data to a syslog server in XML format.
Universal forwarder on syslog server monitors file and sends data to the indexers.
In the file on the syslog server, the tag has a space between alert and ID. When using the FireEye Splunk app the queries come up empty.
From what I can tell, the space is causing the search to come up empty. Is there a way to handle the space in the incoming log file?
I am aware of the following from the documentation. "You will have to modify your FireyEye's logging configuration to send the logs to Splunk in xml via http."
In the end, I setup a heavy forwarder as middle man for FireEye. Seems like I used JSON format in the FireEye configuration. I no longer work at that company and I don't remember all the things I did.
Every figure out if a syslog server can sit between the fireeye and splunk? I am getting data form the fireeye to splunk currently with SYSLOG CSV UDP but the app and TA dont seem to be doing anything. Thanks!
Every figure out if a syslog server can stand between a fireeye and splunk? Trying to set this up and i am getting data to splunk from the fireeye (SYSLOG CSV UDP) but the app and TA don't seem to be doing anything. Thanks!