All Apps and Add-ons

Setup FireEye

ccsfdave
Builder

Greetings,

I have followed the documentation that comes with the FireEye app but no luck, perhaps someone can see where I have gone wrong. I have a universal forwarder that I am trying to send the FireEye logs to.

First to make sure the port is open on the UF:

fireeye > telnet 10.250.40.51 8089
Trying 10.250.40.51...
Connected to 10.250.40.51.
Escape character is '^]'.
--OK so I am in--
^]

Attached is the config in FireEye:

FireEye Settings - Notifications - HTTP

My URL is: https://10.250.40.51:8089/services/receivers/simple?source=fireeye.organization.org&sourcetype=fe_xm...

The fe index is created and enabled in Splunk.

Guidance would be very much appreciated!

Dave

Tags (1)
0 Karma

TonyLeeVT
Builder

Thanks for hanging in there. Please try out our new app designed to work with Splunk v6. We increased the number of FireEye appliances we support and drastically increased the number of protocols you can use to send data to Splunk. Download it here: http://apps.splunk.com/app/1845/. It is still in BETA, but we are accepting user feedback at: Tony.Lee -at- FireEye.com. Thanks!

0 Karma

TonyLeeVT
Builder

ccsfdave was squared away with the following thread:
http://answers.splunk.com/answers/123168/fireeye-built-in-dashboards-not-working

However, just to close the loop on this... instructions for setting up the current FireEye app are found here on the documentation tab:
https://apps.splunk.com/app/409/

Additional help can be found here:
http://securitysynapse.blogspot.com/2014/05/stopgap-splunk-for-fireeye-v2-app.html

Keep checking back for a new Splunk for FireEye app that is in the works. 🙂

PrinceOfEval
Path Finder

Should have posted this last time. If you are stuck on pushing data via REST, your configuration looks right to me. I've used similar URL with the same settings and been successful. Maybe confirm that the index is configured correctly on the Splunk side and that you're authenticating with an account that has the access necessary to write to it?

0 Karma

ccsfdave
Builder

@PrinceOfEval, I have checked the configs as suggested and interesting enough, I can test fire an event in FireEye and it appears in Splunk however none of the normal logging does. Do I have something shutdown in FireEye preventing the logging? Anywhere else to look beyond the image above?

0 Karma

PrinceOfEval
Path Finder

If syslog is an option, that might be easier. I've had a hard time understanding why people want their FireEye appliances to push data into the REST API of Splunk instead of just sending the data to syslog like everything else. In my experience, using the REST API causes a lot of extra head aches when troubleshooting issues.

Sorry if this is OT, but I'm genuinely curious and also wonder if people don't realize that XML over syslog is an option for these logs.

0 Karma

PrinceOfEval
Path Finder

Sure, but you could take care of that by setting the line breaker to include the syslog header in a regex match group, thereby removing it from the event before the XML is parsed, like....

LINE_BREAKER = ([A-Za-z]{3}\s{1,3}\d{1,2}\s\d{2}:\d{2}:\d{2}\s[0-9.]{7,15}\/[0-9.]{7,15}\sfenotify-[0-9.]+alert:\s)<\?xml

I've noticed some other weird issues doing XML over syslog though, such as multiple alerts in a single log event. Did you write the document suggesting using CEF over syslog?

http://www.fireeye.com/resources/pdfs/FireEye-Splunk-intro-to-integration-guide.pdf

Is that the way to go?

0 Karma

TonyLeeVT
Builder

One reason why some people may find it easier to send XML or JSON over HTTP as opposed to syslog is that they don't have to deal with the syslog header before the start of the XML.
Check out the following XML example headers:
XML over UDP syslog:
Jun 26 13:11:47 192.168.33.159 fenotify-26662.1.alert: <?xml version="1.0" encoding="utf-8"?>
XML over TCP syslog:
<164>fenotify-26659.alert: <?xml version="1.0" encoding="utf-8"?>
XML over HTTP:
<?xml version="1.0" encoding="utf-8"?>
If you are trying use to KV_MODE=XML in props.conf, it does not consistently parse the data due to the added header.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...