All Apps and Add-ons

How to modify default fields in Trend Micro Deep Security for Splunk?

emixam3
Explorer

Hi,
I'm receiving syslog flow from Trend Micro Deep Security.
After installing the app for Splunk, I would like to check how the fields are populate by it. I've got an issue with the field "DPI_Reason", where I can find the Trend Micro rule number.
The field in the raw data is, for example, "502", but the field in splunk is "-502". And it only populate the field with default values like 502 or 504, not with custom rules like 1001234.

Thanks

Max

0 Karma

aakwah
Builder

Hello,

Make sure that Deep Security is sending syslog messages with Common Event Format (CEF) as syslog format.

On Deep Security web interface:

Administration -> System Settings -> SIEM -> Syslog Format (Common Event Format).

Hope this helps.

Regards

0 Karma

idurrani
New Member

Hello,

Deep Security manager is sending traffic to splunk and splunk is getting the events but not showing it on UI. For example I see DSM sending messages on UDP port 10702 that are received by Splunk but I can't see them. Splunk has the Deep Security manager app configured. Please help?

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...