All Apps and Add-ons

Trend Micro Deep Security sourcetypes not being rewritten into Splunk cluster

Gil_Heron
New Member

I install Trend Micro Deep Security on a standalone test server.
Everything run as expected: inputs.conf set index to av_int_deepsecurity and sourcetype to deepsecurity.
Then props.conf and transforms.conf rewrite the sourcetype to deepsecurity-firewall, deepsecurity-antimalware, etc.
Searching in the app show events with different sourcetypes: deepsecurity-firewall, deepsecurity-antimalware, etc.

I install Trend Micro Deep Security in a productive cluster
I push the app to Search Heads, Indexers, Forwarders but searching in the app does not show events with different sourcetypes: deepsecurity-firewall, deepsecurity-antimalware, etc. It only shows events with sourcetype deepsecurity.

Test standalone server is working fine. Productive cluster is not working as expected... What did I do wrong?

Splunk here is 7.1.2

Devices are sending machine data to a server with Syslog-NG that make files. These files are monitored by SplunkForwarder that forwards data to the productive cluster. These files are also copied by a batch job to the test standalone server.

Thank you for your help. I install Trend Micro Deep Security on a standalone test server.
inputs.conf put the data in index av_int_deepsecurity and fix the sourcetype to deepsecurity.
props.conf and transforms.conf rewrite sourcetypes to deepsecurity-firewall, deepsecurity-antimalware, etc.
Searching events from the app, I see deepsecurity-firewall, deepsecurity-antimalware, etc. as expected

Then I install Trend Micro Deep Security in the productive cluster.
Searching events from the app, I see only sourcetype deepsecurity and NOT deepsecurity-firewall, deepsecurity-antimalware, etc. as expected.

I install the app on Search Heads, on Indexers, on Master and on Heavy Forwarders, without success.

What I did wrong?

In standalone test, we copy a file monitored by the standalone server.
In the cluster, devices are forwarding events to a Syslog-NG that put data in a file and this file is monitored by the SplunkForwarder installed on the same server. Data is then sent to the cluster indexers.

We use Splunk 7.1.2.

Thank you for your help.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...