Solved: Where do I install the FireEye Add-on for Splunk E...

gerald_contrera · ‎03-26-2018

Hi all,

We currently have
4- indexer peers
1- heavy forwarder which forwards FireEye logs (which syslog to a folder and is monitored by HF) to splunk.
- FireEye EX and soon NX

I have installed the FireEye-App on the search heads, and currently have the Add-on/TA on the heavy forwarder.
Can anyone confirm if i have to install the add-on/TA on the indexers also?

Any help would be great, there is a lot of doco on the FireEye App, but not much on the Add-on/TA.

We are currently getting some basic data in the App. But i would have expected more?

Thanks in advance

gerald_contrera · ‎04-26-2018

Answered my own.
Looks like I had to make sure I was using the right source type for this to work.

Used custom folder monitor syslog events ensuring to use fe sourcetype. Installed app on SH.

View solution in original post

gerald_contrera · ‎04-26-2018

Answered my own.
Looks like I had to make sure I was using the right source type for this to work.

Used custom folder monitor syslog events ensuring to use fe sourcetype. Installed app on SH.

Where do I install the FireEye Add-on for Splunk Enterprise?

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update