We currently have
4- indexer peers
1- heavy forwarder which forwards FireEye logs (which syslog to a folder and is monitored by HF) to splunk.
- FireEye EX and soon NX
I have installed the FireEye-App on the search heads, and currently have the Add-on/TA on the heavy forwarder.
Can anyone confirm if i have to install the add-on/TA on the indexers also?
Any help would be great, there is a lot of doco on the FireEye App, but not much on the Add-on/TA.
We are currently getting some basic data in the App. But i would have expected more?
Thanks in advance
Answered my own.
Looks like I had to make sure I was using the right source type for this to work.
Used custom folder monitor syslog events ensuring to use fe sourcetype. Installed app on SH.
View solution in original post