Solved: Re: Where do I install the FireEye Add-on for Splu...

gerald_contrera · ‎03-26-2018

Hi all,

We currently have
4- indexer peers
1- heavy forwarder which forwards FireEye logs (which syslog to a folder and is monitored by HF) to splunk.
- FireEye EX and soon NX

I have installed the FireEye-App on the search heads, and currently have the Add-on/TA on the heavy forwarder.
Can anyone confirm if i have to install the add-on/TA on the indexers also?

Any help would be great, there is a lot of doco on the FireEye App, but not much on the Add-on/TA.

We are currently getting some basic data in the App. But i would have expected more?

Thanks in advance

gerald_contrera · ‎04-26-2018

Answered my own.
Looks like I had to make sure I was using the right source type for this to work.

Used custom folder monitor syslog events ensuring to use fe sourcetype. Installed app on SH.

View solution in original post

gerald_contrera · ‎04-26-2018

Answered my own.
Looks like I had to make sure I was using the right source type for this to work.

Used custom folder monitor syslog events ensuring to use fe sourcetype. Installed app on SH.

Where do I install the FireEye Add-on for Splunk Enterprise?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Where do I install the FireEye Add-on for Splunk Enterprise?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers