Can't use syslog from Deep Security Cloud solution to Splunk Cloud. So I use log forwarding to SNS and in AWS I forward the incoming event to Splunk Cloud. I put the events in the correct sourcetypes in Splunk and I see the data is coming in but dashboards stay empty.
It looks that the names of the items do not match what the app is searching for.
The general approach is to hover in the lower corner of the dashboard panel and click Open in search. Then you have the search that powers the panel. Now strip off everything after the last pipe ( | ) character and re-run the search. Keep doing this until you have data, then figure out why the stuff you removed isn't working. It will probably be a sourcetype value inside of an eventtype that does not match.
If I stripped of everything after the last pipe, I get events.
e.g. Trend App is looking for: cef_severity or dvchost or LI_Description etc. But the SNS log from trend has: severity, OSSEC_Hostname and OSSEC_Description.
I changed the searches trying to find something what matches. And this works...
But, I am afraid when the first update of the trendapp comes along, the original searches are back and the app will break again.
Also I am not sure if the replacement keys I used give the same results as the original.
Question 1: Can I changes the dashboards without consequences for new versions of the trend app?
Question 2: Is there a translation table between the SNS (OSEC etc) and TrendApp (CEF) keys?
I think it is strange that Trend uses different keys for this? But maybe I am the only one 🙂
A1: No. The consequence is that the KO that you changed will never be changed by app upgrades; your local change will always override those app changes."
A2: I am speaking in generalities and I do not know the specifics of this app and AWS but you should definitely contact the app developer.