Greetings,
I have followed the documentation that comes with the FireEye app but no luck, perhaps someone can see where I have gone wrong. I have a universal forwarder that I am trying to send the FireEye logs to.
First to make sure the port is open on the UF:
fireeye > telnet 10.250.40.51 8089
Trying 10.250.40.51...
Connected to 10.250.40.51.
Escape character is '^]'.
--OK so I am in--
^]
Attached is the config in FireEye:
The fe index is created and enabled in Splunk.
Guidance would be very much appreciated!
Dave
Thanks for hanging in there. Please try out our new app designed to work with Splunk v6. We increased the number of FireEye appliances we support and drastically increased the number of protocols you can use to send data to Splunk. Download it here: http://apps.splunk.com/app/1845/. It is still in BETA, but we are accepting user feedback at: Tony.Lee -at- FireEye.com. Thanks!
ccsfdave was squared away with the following thread:
http://answers.splunk.com/answers/123168/fireeye-built-in-dashboards-not-working
However, just to close the loop on this... instructions for setting up the current FireEye app are found here on the documentation tab:
https://apps.splunk.com/app/409/
Additional help can be found here:
http://securitysynapse.blogspot.com/2014/05/stopgap-splunk-for-fireeye-v2-app.html
Keep checking back for a new Splunk for FireEye app that is in the works. 🙂
Should have posted this last time. If you are stuck on pushing data via REST, your configuration looks right to me. I've used similar URL with the same settings and been successful. Maybe confirm that the index is configured correctly on the Splunk side and that you're authenticating with an account that has the access necessary to write to it?
@PrinceOfEval, I have checked the configs as suggested and interesting enough, I can test fire an event in FireEye and it appears in Splunk however none of the normal logging does. Do I have something shutdown in FireEye preventing the logging? Anywhere else to look beyond the image above?
If syslog is an option, that might be easier. I've had a hard time understanding why people want their FireEye appliances to push data into the REST API of Splunk instead of just sending the data to syslog like everything else. In my experience, using the REST API causes a lot of extra head aches when troubleshooting issues.
Sorry if this is OT, but I'm genuinely curious and also wonder if people don't realize that XML over syslog is an option for these logs.
Sure, but you could take care of that by setting the line breaker to include the syslog header in a regex match group, thereby removing it from the event before the XML is parsed, like....
LINE_BREAKER = ([A-Za-z]{3}\s{1,3}\d{1,2}\s\d{2}:\d{2}:\d{2}\s[0-9.]{7,15}\/[0-9.]{7,15}\sfenotify-[0-9.]+alert:\s)<\?xml
I've noticed some other weird issues doing XML over syslog though, such as multiple alerts in a single log event. Did you write the document suggesting using CEF over syslog?
http://www.fireeye.com/resources/pdfs/FireEye-Splunk-intro-to-integration-guide.pdf
Is that the way to go?
One reason why some people may find it easier to send XML or JSON over HTTP as opposed to syslog is that they don't have to deal with the syslog header before the start of the XML.
Check out the following XML example headers:
XML over UDP syslog:
Jun 26 13:11:47 192.168.33.159 fenotify-26662.1.alert: <?xml version="1.0" encoding="utf-8"?>
XML over TCP syslog:
<164>fenotify-26659.alert: <?xml version="1.0" encoding="utf-8"?>
XML over HTTP:
<?xml version="1.0" encoding="utf-8"?>
If you are trying use to KV_MODE=XML in props.conf, it does not consistently parse the data due to the added header.