All Apps and Add-ons

How to complete Fireeye HX and Splunk Integration?

spl10
Explorer

Hi Team,

I am planning to integrate Fireeye HX and Splunk and for the same I have installed the app from Splunk Base "FireEye App for Splunk Enterprise v3 | Splunkbase" on Heavy Forwarder and Search Head.

Also as mentioned in the document performed the below steps 

  • The HX appliance logging cannot be set from the GUI as of right now, please use the CLI:
    hostname # logging <remote-IP-address> trap none
    hostname # logging <remote-IP-address> trap override class cef priority info
    hostname # write mem

On internal index I could see the below error and logs are not reflecting on Splunk

ERROR SearchOperator:kv [17796 TcpChannelThread] - Cannot compile RE \"<malware\sname=\"(?<malware_name>[\w-\.]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?\" for transform 'EXTRACT-malware-info_for_fireeye': Regex: invalid range in character class.

Any assistance for this issue will be much appreciated

Labels (1)
0 Karma

spl10
Explorer

can anyone please assist for this error?

Error message

ERROR TcpInputProc [11836 FwdDataReceiverThread] - Message rejected. Received unexpected message of size=1009989438 bytes from src=xx.xx.xx.xx in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

Here is my inputs.conf

[udp://xx.xx.xx.xx:876]
connection_host = dns
host = xxxxxx
index = yyyyyy
sourcetype = hx_cef_syslog

0 Karma

spl10
Explorer

Can anyone please help?

0 Karma
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...