All Apps and Add-ons
Highlighted

Trend Micro Deep Security for Splunk: How to troubleshoot why are logs not coming in?

Communicator

I have pointed the CEF logs from Trend Micro Deep security to Splunk server. What could be the reasons that logs are not coming in through the port 514 for other apps as well?

0 Karma
Highlighted

Re: Trend Micro Deep Security for Splunk: How to troubleshoot why are logs not coming in?

Communicator

I have pointed the CEF logs from Trend Micro Deep security to Splunk server. What could be the reasons that logs are not coming in through the port 514 -

EDIT : whereas logs from other apps are coming in on same port.

0 Karma
Highlighted

Re: Trend Micro Deep Security for Splunk: How to troubleshoot why are logs not coming in?

Motivator

EDIT : whereas logs from other apps are coming in on same port.

You mean other logs from the DS server ? do you miss only CEF logs alone ?!
Are you using universal forwarder , Did u take a look at the splunkd.logs

0 Karma
Highlighted

Re: Trend Micro Deep Security for Splunk: How to troubleshoot why are logs not coming in?

Communicator

The other logs which are coming here on port 514 are syslog from a firewall (another source).
Universal forwarder is there but not related with this, for that i have different port in place.
Looking into which log could be helpful in understanding what is stopping ?

0 Karma
Highlighted

Re: Trend Micro Deep Security for Splunk: How to troubleshoot why are logs not coming in?

SplunkTrust
SplunkTrust

In approximate order of how I'd do it:

First, double check for sure you aren't getting them in. index=* and start looking at all your flyouts for your host, events that may come from it and so on.

Double-check you are listening on both UDP and TCP port 514 in Splunk, or confirm that whichever one you are listening on is the one that Trend is sending in on. Double-check your inputs.conf to make sure there shouldn't be anything mishandling that source - the list of trickery that could be involved is long, but a careful look will most likely uncover anything odd looking.

Confirm that Trend is configured properly and pointing to the right IP address, is actually set to send something in (sometimes the configuration for syslog settings and the configuration to send syslog data are two entirely separate steps!) and that there are no firewalls or networking issues that would prevent the two machines from communicating.

Once you've double-checked all that work and found no improvement, I'd say to start a packet capture on your Splunk server watching for packets from the Trend box. If you see them coming in over the right ports and all that, you'll have to look at inputs. (Or separate syslog from Splunk and troubleshoot each piece separately, as below). If you don't see the inputs, then either the Trend box is misconfigured or there's a firewall or something in the way.

I, and others here, would heartily recommend to install syslog-ng or rsyslog and use THAT to listen to syslog, then use monitor stanzas to get the data from there: this is easy to do and has a lot of advantages in speed, reliability, scalability and troubleshooting. That last advantage would be quite useful at this point and would separate this problem into two independently easy problems. This is also best practice.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.