We have already set up the app, but the data coming from FirEye is not properly parsed or fields are missing. To have an idea on our setup, please see below.
FireEye appliance configured rsyslog sends to a heavy forwarder that forwarders to our indexers. In the heavy forwarder, syslog files are being dumped in a file using syslog-ng. From there, we define the directory path as data inputs which are then later being forwarded as the file updates/logs.
We have installed the FireEye App on the Search Head, but no TA for any of the indexers.
Any thoughts on what items we are still missing? Parsing the app alone will be tedious work.
Probably your syslog service in the heavy forwarding is adding info to the events. Have you try to send directly to hf by tcp port?
Hope i help you
jmallorquin is most likely correct in that additional data is being added to the beginning of each event packet which is preventing the transforms from parsing the data correctly. Thus the sourcetype and eventtype is probably not being correctly populated which prevents the dashboards from displaying the data correctly (if at all).
Your setup is a bit unique in that you are not merely sending the data directly via HTTPS or syslog. Due to the additional complexity (HF -> Indexer -> read from file) the events are being munged somewhere. Since this scenario is specific to your instance, I would recommend contacting me via the Help -> Send Feedback mechanism within the app itself.
Then we will post a generic solution here for the rest of the folks after we figure out a graceful solution.
Just as a reminder, for more vanilla installs. Please use our configuration guide (PDF) found at the top of the documentation section here: