All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure the Trend Micro Deep Security for Splunk app?

saurabh_tek
Communicator
‎11-12-2015 01:21 AM

Trend Micro Deep Security for Splunk - Splunk app. How to configure it?
What settings need to be done at the source side and to match on the app side.

Reply

idurrani
New Member
‎10-18-2017 05:11 PM

Hello, I configured Deep Security manager to send traffic to Splunk. I see that splunk is getting all packets on UDP port 10702, but it doesn't show in events or UI, how do I configure it to show on UI, so frustrating?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-19-2017 05:50 AM

@idurrani, You're asking a new question rather than answering the one asked by the OP. Please post a new question about your problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dgillette2
New Member
‎08-29-2016 10:58 AM

According to mikedgibson, "The App creates 6 different syslog listeners". I didn't find that to be the case after I installed the app. I had to manually add the listeners. In any event after that was done, I configured DSM to send events to the applicable port.

alt text

ds.jpg
Preview file
81 KB
0 Karma
Reply

mikedgibson
New Member
‎11-12-2015 12:12 PM

Hello,

The App creates 6 different syslog listeners to help differentiate events in one module from another.

10701 - Syslog UDP port for System Events
10702 - Syslog UDP port for Anti-Malware Events
10703 - Syslog UDP port for Web Reputation Events
10704 - Syslog UDP port for Firewall and IPS Events
10705 - Syslog UDP port for Integrity Monitoring Events
10706 - Syslog UDP port for Log Inspection Events

After installing the App, you just need to configure the syslog output for each of the modules within your security policy to send event data to the appropriate syslog port on your Splunk system. The easiest way is to configure the product to forward syslog output from the Deep Security Manager and not the Agents themselves to the Splunk listeners.

If you search for "syslog" or "SIEM" in the online help in Deep Security Manager, you should see instructions on how to configure the syslog settings.

Mike

0 Karma
Reply

saurabh_tek
Communicator
‎11-14-2015 04:16 AM

Thank you Mike.

so if i am understanding it correct, we need to do the configuration on the Deep Security Manager Settings itself not on the splunk server side, right ?
where will i find those security policies you are referring - on Deep security server/splunk server/firewall?
please help me understand this.
Thanks in advance.

0 Karma
Reply

saurabh_tek
Communicator
‎12-02-2015 12:27 PM

i checked at the system, everything seems to be in place as you suggested still logs are not coming, although they came one day but not afterwards... could you please clarity above doubts, Mike ?

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top