I have configured the Deep Security Manager to forward syslog directly to Heavy forwarder since, we are using a Heavy Forwarder as the primary source to store the logs and later forward those to the indexers to index the data. I'm able to see the data in the search UI by using index=dsm and also logs related to "WebReputation Security Events" but, the trend micro dashboards doesn't seems to visualize the data. Is there any configuration I missed when deploying the Trend Micro Deep Security for Splunk app on Splunk? I deployed the app through the deployment server and it is installed on Heavy Forwarder and also on the Enterprise Search Head. I have used the same syslog configuration for the system events and security events in the Deep Security Manager. Any suggestions where to look to resolve this issue?
This basically listens to udp_port that has been configured on the DSM and will store logs. Later, these logs are forwarded from HF to indexers such that data gets indexed. Also, I have configured the inputs file.