All Apps and Add-ons

How to complete Fireeye HX and Splunk Integration?

spl10
Explorer

Hi Team,

I am planning to integrate Fireeye HX and Splunk and for the same I have installed the app from Splunk Base "FireEye App for Splunk Enterprise v3 | Splunkbase" on Heavy Forwarder and Search Head.

Also as mentioned in the document performed the below steps 

  • The HX appliance logging cannot be set from the GUI as of right now, please use the CLI:
    hostname # logging <remote-IP-address> trap none
    hostname # logging <remote-IP-address> trap override class cef priority info
    hostname # write mem

On internal index I could see the below error and logs are not reflecting on Splunk

ERROR SearchOperator:kv [17796 TcpChannelThread] - Cannot compile RE \"<malware\sname=\"(?<malware_name>[\w-\.]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?\" for transform 'EXTRACT-malware-info_for_fireeye': Regex: invalid range in character class.

Any assistance for this issue will be much appreciated

Labels (1)
0 Karma

spl10
Explorer

can anyone please assist for this error?

Error message

ERROR TcpInputProc [11836 FwdDataReceiverThread] - Message rejected. Received unexpected message of size=1009989438 bytes from src=xx.xx.xx.xx in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

Here is my inputs.conf

[udp://xx.xx.xx.xx:876]
connection_host = dns
host = xxxxxx
index = yyyyyy
sourcetype = hx_cef_syslog

0 Karma

spl10
Explorer

Can anyone please help?

0 Karma
Get Updates on the Splunk Community!

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...