All Apps and Add-ons

Trend Micro Deep Security sourcetypes not being rewritten into Splunk cluster

Gil_Heron
New Member

I install Trend Micro Deep Security on a standalone test server.
Everything run as expected: inputs.conf set index to av_int_deepsecurity and sourcetype to deepsecurity.
Then props.conf and transforms.conf rewrite the sourcetype to deepsecurity-firewall, deepsecurity-antimalware, etc.
Searching in the app show events with different sourcetypes: deepsecurity-firewall, deepsecurity-antimalware, etc.

I install Trend Micro Deep Security in a productive cluster
I push the app to Search Heads, Indexers, Forwarders but searching in the app does not show events with different sourcetypes: deepsecurity-firewall, deepsecurity-antimalware, etc. It only shows events with sourcetype deepsecurity.

Test standalone server is working fine. Productive cluster is not working as expected... What did I do wrong?

Splunk here is 7.1.2

Devices are sending machine data to a server with Syslog-NG that make files. These files are monitored by SplunkForwarder that forwards data to the productive cluster. These files are also copied by a batch job to the test standalone server.

Thank you for your help. I install Trend Micro Deep Security on a standalone test server.
inputs.conf put the data in index av_int_deepsecurity and fix the sourcetype to deepsecurity.
props.conf and transforms.conf rewrite sourcetypes to deepsecurity-firewall, deepsecurity-antimalware, etc.
Searching events from the app, I see deepsecurity-firewall, deepsecurity-antimalware, etc. as expected

Then I install Trend Micro Deep Security in the productive cluster.
Searching events from the app, I see only sourcetype deepsecurity and NOT deepsecurity-firewall, deepsecurity-antimalware, etc. as expected.

I install the app on Search Heads, on Indexers, on Master and on Heavy Forwarders, without success.

What I did wrong?

In standalone test, we copy a file monitored by the standalone server.
In the cluster, devices are forwarding events to a Syslog-NG that put data in a file and this file is monitored by the SplunkForwarder installed on the same server. Data is then sent to the cluster indexers.

We use Splunk 7.1.2.

Thank you for your help.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...