All Apps and Add-ons

How to configure the Trend Micro Deep Security for Splunk app?

Communicator

Trend Micro Deep Security for Splunk - Splunk app. How to configure it?
What settings need to be done at the source side and to match on the app side.

New Member

Hello, I configured Deep Security manager to send traffic to Splunk. I see that splunk is getting all packets on UDP port 10702, but it doesn't show in events or UI, how do I configure it to show on UI, so frustrating?

0 Karma

SplunkTrust
SplunkTrust

@idurrani, You're asking a new question rather than answering the one asked by the OP. Please post a new question about your problem.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

According to mikedgibson, "The App creates 6 different syslog listeners". I didn't find that to be the case after I installed the app. I had to manually add the listeners. In any event after that was done, I configured DSM to send events to the applicable port.

alt text

0 Karma

New Member

Hello,

The App creates 6 different syslog listeners to help differentiate events in one module from another.

10701 - Syslog UDP port for System Events
10702 - Syslog UDP port for Anti-Malware Events
10703 - Syslog UDP port for Web Reputation Events
10704 - Syslog UDP port for Firewall and IPS Events
10705 - Syslog UDP port for Integrity Monitoring Events
10706 - Syslog UDP port for Log Inspection Events

After installing the App, you just need to configure the syslog output for each of the modules within your security policy to send event data to the appropriate syslog port on your Splunk system. The easiest way is to configure the product to forward syslog output from the Deep Security Manager and not the Agents themselves to the Splunk listeners.

If you search for "syslog" or "SIEM" in the online help in Deep Security Manager, you should see instructions on how to configure the syslog settings.

Mike

0 Karma

Communicator

Thank you Mike.

so if i am understanding it correct, we need to do the configuration on the Deep Security Manager Settings itself not on the splunk server side, right ?
where will i find those security policies you are referring - on Deep security server/splunk server/firewall?
please help me understand this.
Thanks in advance.

0 Karma

Communicator

i checked at the system, everything seems to be in place as you suggested still logs are not coming, although they came one day but not afterwards... could you please clarity above doubts, Mike ?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!