All Apps and Add-ons

Trend Micro Deep Security sourcetypes not being rewritten into Splunk cluster

Gil_Heron
New Member

I install Trend Micro Deep Security on a standalone test server.
Everything run as expected: inputs.conf set index to av_int_deepsecurity and sourcetype to deepsecurity.
Then props.conf and transforms.conf rewrite the sourcetype to deepsecurity-firewall, deepsecurity-antimalware, etc.
Searching in the app show events with different sourcetypes: deepsecurity-firewall, deepsecurity-antimalware, etc.

I install Trend Micro Deep Security in a productive cluster
I push the app to Search Heads, Indexers, Forwarders but searching in the app does not show events with different sourcetypes: deepsecurity-firewall, deepsecurity-antimalware, etc. It only shows events with sourcetype deepsecurity.

Test standalone server is working fine. Productive cluster is not working as expected... What did I do wrong?

Splunk here is 7.1.2

Devices are sending machine data to a server with Syslog-NG that make files. These files are monitored by SplunkForwarder that forwards data to the productive cluster. These files are also copied by a batch job to the test standalone server.

Thank you for your help. I install Trend Micro Deep Security on a standalone test server.
inputs.conf put the data in index av_int_deepsecurity and fix the sourcetype to deepsecurity.
props.conf and transforms.conf rewrite sourcetypes to deepsecurity-firewall, deepsecurity-antimalware, etc.
Searching events from the app, I see deepsecurity-firewall, deepsecurity-antimalware, etc. as expected

Then I install Trend Micro Deep Security in the productive cluster.
Searching events from the app, I see only sourcetype deepsecurity and NOT deepsecurity-firewall, deepsecurity-antimalware, etc. as expected.

I install the app on Search Heads, on Indexers, on Master and on Heavy Forwarders, without success.

What I did wrong?

In standalone test, we copy a file monitored by the standalone server.
In the cluster, devices are forwarding events to a Syslog-NG that put data in a file and this file is monitored by the SplunkForwarder installed on the same server. Data is then sent to the cluster indexers.

We use Splunk 7.1.2.

Thank you for your help.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...