All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trend Micro Deep Security sourcetypes not being rewritten into Splunk cluster

Gil_Heron
New Member
‎02-05-2020 03:50 PM

I install Trend Micro Deep Security on a standalone test server.
Everything run as expected: inputs.conf set index to av_int_deepsecurity and sourcetype to deepsecurity.
Then props.conf and transforms.conf rewrite the sourcetype to deepsecurity-firewall, deepsecurity-antimalware, etc.
Searching in the app show events with different sourcetypes: deepsecurity-firewall, deepsecurity-antimalware, etc.

I install Trend Micro Deep Security in a productive cluster
I push the app to Search Heads, Indexers, Forwarders but searching in the app does not show events with different sourcetypes: deepsecurity-firewall, deepsecurity-antimalware, etc. It only shows events with sourcetype deepsecurity.

Test standalone server is working fine. Productive cluster is not working as expected... What did I do wrong?

Splunk here is 7.1.2

Devices are sending machine data to a server with Syslog-NG that make files. These files are monitored by SplunkForwarder that forwards data to the productive cluster. These files are also copied by a batch job to the test standalone server.

Thank you for your help. I install Trend Micro Deep Security on a standalone test server.
inputs.conf put the data in index av_int_deepsecurity and fix the sourcetype to deepsecurity.
props.conf and transforms.conf rewrite sourcetypes to deepsecurity-firewall, deepsecurity-antimalware, etc.
Searching events from the app, I see deepsecurity-firewall, deepsecurity-antimalware, etc. as expected

Then I install Trend Micro Deep Security in the productive cluster.
Searching events from the app, I see only sourcetype deepsecurity and NOT deepsecurity-firewall, deepsecurity-antimalware, etc. as expected.

I install the app on Search Heads, on Indexers, on Master and on Heavy Forwarders, without success.

What I did wrong?

In standalone test, we copy a file monitored by the standalone server.
In the cluster, devices are forwarding events to a Syslog-NG that put data in a file and this file is monitored by the SplunkForwarder installed on the same server. Data is then sent to the cluster indexers.

We use Splunk 7.1.2.

Thank you for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...