All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure the Trend Micro Deep Security for Splunk app?

saurabh_tek
Communicator
‎11-12-2015 01:21 AM

Trend Micro Deep Security for Splunk - Splunk app. How to configure it?
What settings need to be done at the source side and to match on the app side.

Reply

idurrani
New Member
‎10-18-2017 05:11 PM

Hello, I configured Deep Security manager to send traffic to Splunk. I see that splunk is getting all packets on UDP port 10702, but it doesn't show in events or UI, how do I configure it to show on UI, so frustrating?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-19-2017 05:50 AM

@idurrani, You're asking a new question rather than answering the one asked by the OP. Please post a new question about your problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dgillette2
New Member
‎08-29-2016 10:58 AM

According to mikedgibson, "The App creates 6 different syslog listeners". I didn't find that to be the case after I installed the app. I had to manually add the listeners. In any event after that was done, I configured DSM to send events to the applicable port.

alt text

Preview file
1 KB
0 Karma
Reply

mikedgibson
New Member
‎11-12-2015 12:12 PM

Hello,

The App creates 6 different syslog listeners to help differentiate events in one module from another.

10701 - Syslog UDP port for System Events
10702 - Syslog UDP port for Anti-Malware Events
10703 - Syslog UDP port for Web Reputation Events
10704 - Syslog UDP port for Firewall and IPS Events
10705 - Syslog UDP port for Integrity Monitoring Events
10706 - Syslog UDP port for Log Inspection Events

After installing the App, you just need to configure the syslog output for each of the modules within your security policy to send event data to the appropriate syslog port on your Splunk system. The easiest way is to configure the product to forward syslog output from the Deep Security Manager and not the Agents themselves to the Splunk listeners.

If you search for "syslog" or "SIEM" in the online help in Deep Security Manager, you should see instructions on how to configure the syslog settings.

Mike

0 Karma
Reply

saurabh_tek
Communicator
‎11-14-2015 04:16 AM

Thank you Mike.

so if i am understanding it correct, we need to do the configuration on the Deep Security Manager Settings itself not on the splunk server side, right ?
where will i find those security policies you are referring - on Deep security server/splunk server/firewall?
please help me understand this.
Thanks in advance.

0 Karma
Reply

saurabh_tek
Communicator
‎12-02-2015 12:27 PM

i checked at the system, everything seems to be in place as you suggested still logs are not coming, although they came one day but not afterwards... could you please clarity above doubts, Mike ?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...