All Apps and Add-ons

How to modify default fields in Trend Micro Deep Security for Splunk?

emixam3
Explorer

Hi,
I'm receiving syslog flow from Trend Micro Deep Security.
After installing the app for Splunk, I would like to check how the fields are populate by it. I've got an issue with the field "DPI_Reason", where I can find the Trend Micro rule number.
The field in the raw data is, for example, "502", but the field in splunk is "-502". And it only populate the field with default values like 502 or 504, not with custom rules like 1001234.

Thanks

Max

0 Karma

aakwah
Builder

Hello,

Make sure that Deep Security is sending syslog messages with Common Event Format (CEF) as syslog format.

On Deep Security web interface:

Administration -> System Settings -> SIEM -> Syslog Format (Common Event Format).

Hope this helps.

Regards

0 Karma

idurrani
New Member

Hello,

Deep Security manager is sending traffic to splunk and splunk is getting the events but not showing it on UI. For example I see DSM sending messages on UDP port 10702 that are received by Splunk but I can't see them. Splunk has the Deep Security manager app configured. Please help?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>