Hello.
I would like to ingest data from a Fireeye HX, viewing the data either in the Fireeye app or through our own dashboards. However, although the data is being indexed the fields are not being extracted/labelled in a useful way.
On the CM:
# cat etc/master-apps/_cluster/local/inputs.conf
<snip>
[tcp://:1234]
index = fe_data
sourcetype = hx_ce_syslog
# ls etc/master-apps/FireEye_v3
appserver bin default lookups metadata README.md static
I created local versions of props.conf and transforms.conf .
In props.conf I uncommented this line as instructed (as we want the data in our own index).
# Uncomment the next line to send FireEye data to a separate index called "fireeye"
TRANSFORMS-updateFireEyeIndex = fix_FireEye_CEF_in, fix_FireEye_CSV_in, fix_FireEye_XML_in, fix_FireEye_JSON_st, fix_HX_CEF_in, fix_HX2_CEF_in
In transforms.conf I changed entries like this to use our index:
[fix_HX_CEF_in]
REGEX=.*:\sCEF\:\d\|mandiant\|mso\|
DEST_KEY=_MetaData:Index
FORMAT=fe_data
Q: Did I need to change FORMAT to use our index if I have specified the index in inputs.conf?
Q: Am I right in thinking I don't need the FireEye app installed on the SHC if I don't want to use the app there? i.e. it is enough for the indexers to use the app's conifguration to parse the data.
Q: If the above is correct, does anyone know why the fields are not being extracted as, for example, cef_name?