All Apps and Add-ons

Trend Micro Deep Security for Splunk: Why am I unable to visualize data in from syslog logs?

Communicator

Hello Splunk Techies !!

I have configured the Deep Security Manager to forward syslog directly to Heavy forwarder since, we are using a Heavy Forwarder as the primary source to store the logs and later forward those to the indexers to index the data. I'm able to see the data in the search UI by using index=dsm and also logs related to "WebReputation Security Events" but, the trend micro dashboards doesn't seems to visualize the data. Is there any configuration I missed when deploying the Trend Micro Deep Security for Splunk app on Splunk? I deployed the app through the deployment server and it is installed on Heavy Forwarder and also on the Enterprise Search Head. I have used the same syslog configuration for the system events and security events in the Deep Security Manager. Any suggestions where to look to resolve this issue?

Thanks

0 Karma

Path Finder

I suspect the Trend app is not setting the index location (index=dsm) and relying on the sourcetypes to gather data.

Sample from .../default/savedsearches.conf in the app:

[Deep Security - Anti-Malware Events]
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 0 * * *
description = Events generated by Deep Security's Anti-Malware module
dispatch.earliest_time = -1h
search = sourcetype=deepsecurity-antimalware

Take note of the search line. It only includes the sourcetype and NOT the index where the data is stored.

I would recommend setting the default search index for the users or roles to include the dsm index.

Good luck,

Ken

0 Karma

Communicator

In my environment, Heavy forwarder acts like syslog server gathering logs from sources and I have configured rsyslog to use particular location through a rule which is shared below.

$RuleSet {rule_name}

$template dsm,"/opt/splunk/syslog/dsm/%fromhost%/%$YEAR%-%$MONTH%-%$DAY%.log"
$RuleSet {rule_name}

. -?dsm
& ~

$InputUDPServerBindRuleset {rulename}
$UDPServerRun {udp
port}

This basically listens to udp_port that has been configured on the DSM and will store logs. Later, these logs are forwarded from HF to indexers such that data gets indexed. Also, I have configured the inputs file.

[monitor:///opt/splunk/syslog/dsm/.../*.log]
sourcetype = deepsecurity
index = dsm
host_segment = 4
disabled = false

I tried to search by using sourcetype=deepsecurity-antimalware in UI but no results.

Is there anything I have configured on the App just like the inputs file or create any regex to assign the sourcetype ?

0 Karma

Communicator

I have included this configuration stanza in /opt/splunk/etc/system/local/inputs.conf file

[udp://xxx]
index = dsm
sourcetype = deepsecurity

Also, edited the rsyslog configuration to create a directory on the heavy forward and store all the logs from the DSM in this below format.

$RuleSet xxx

$template dsm,"/opt/splunk/syslog/dsm/%fromhost%/%$YEAR%-%$MONTH%-%$DAY%.log"
$RuleSet xxx

. -?dsm
& ~

From this what I believe is what ever logs that are been forwarded from DSM through xxx port are assigned only deepsecurity as the sourcetype.

I tried to search by using sourcetype=deepsecurity-antimalware in UI but no results.

0 Karma