×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
akadmin
Observer
Member since: ‎11-09-2020
‎08-29-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-09-2020
View All

Re: Trend Micro Deep Security for Splunk - sourcet...

by in All Apps and Add-ons
‎01-25-2021 08:35 AM
‎01-25-2021 08:35 AM
Yeah, so I'm just configuring syslog inputs on separate ports into different sourcetypes, one for each Trend module. Ex:  I configure trend to send syslog for the "AntiMalware" module to my HF on port 5140, then on the HF, I configure a syslog input that feeds into a sourcetype called "deepsecurity-antimalware", then I'd use port 5141 and so-on for the rest of the modules If you do that the app picks up the data in the proper dashboards on the search head.   Also, you may want to consider feeding the syslog into text files in /var/log on your HF, then configuring the HF to read from each file and input it into the sourcetype that way.  For some reason syslog doesn't seem to be reliable when you feed it into the HF directly as a Splunk input. ... View more

Re: Trend Micro Deep Security for Splunk - sourcet...

by in All Apps and Add-ons
‎01-25-2021 07:44 AM
‎01-25-2021 07:44 AM
Just FYI - I had absolutely 0 luck finding any support for this, so I just did separate syslog listeners for each module and stored them into the sourcetype name the app was requesting.  Fortunately Trend has it configurable to do it like that within the admin console (diff syslog stream for each module) so it wasn't a tough setup, just sucks it does not work as advertised and there's no support. ... View more

Trend Micro Deep Security for Splunk - sourcetype ...

by in All Apps and Add-ons
‎11-09-2020 08:01 AM
‎11-09-2020 08:01 AM
It appears that according to the documentation, I should be able to configure Trend to forward all module events to Splunk via syslog, and then store it into a file and monitor that file with Splunk as an input, and that sourcetype is supposed to be "deepsecurity".   On the "details" page on Splunk's website for the app - it states this: "It is highly recommended that you follow the Splunk best practices for syslog, and that you configure rsyslog or syslog-ng to write syslog output to a file which can then be collected by a Splunk forwarder and sent to the Splunk server. You need to ensure that the Splunk forwarder sets the sourcetype to deepsecurity when forwarding events to a Splunk receiver."   I have an on-prem HF, and a Splunk Cloud Search Head.  The app is installed on the Search Head, and the HF is storing the trend data as "deepsecurity" sourcetype.  Then, what's supposed to happen (to my understanding) is the app is configured to rewrite the sourcetype field to the appropriate module.   Ex:  deepsecurity -> deepsecurity-antimalware   The problem -------------------------- Search Head gets the data and the app never rewrites the sourcetype, so everything is being seen as "deepsecurity" and none of the dashboard panels populate.   What am I doing wrong?  Do I need the Trend app on my HF as well?  The HF doesn't index anything. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-29-2022 09:02 AM