Solved: Where do I install the FireEye Add-on for Splunk E...

gerald_contrera · ‎03-26-2018

Hi all,

We currently have
4- indexer peers
1- heavy forwarder which forwards FireEye logs (which syslog to a folder and is monitored by HF) to splunk.
- FireEye EX and soon NX

I have installed the FireEye-App on the search heads, and currently have the Add-on/TA on the heavy forwarder.
Can anyone confirm if i have to install the add-on/TA on the indexers also?

Any help would be great, there is a lot of doco on the FireEye App, but not much on the Add-on/TA.

We are currently getting some basic data in the App. But i would have expected more?

Thanks in advance

gerald_contrera · ‎04-26-2018

Answered my own.
Looks like I had to make sure I was using the right source type for this to work.

Used custom folder monitor syslog events ensuring to use fe sourcetype. Installed app on SH.

View solution in original post

gerald_contrera · ‎04-26-2018

Answered my own.
Looks like I had to make sure I was using the right source type for this to work.

Used custom folder monitor syslog events ensuring to use fe sourcetype. Installed app on SH.

Where do I install the FireEye Add-on for Splunk Enterprise?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Where do I install the FireEye Add-on for Splunk Enterprise?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0