Hi, TA-trendmicro is indeed delivered with Splunk Enterprise Security. To deploy it in a distributed environment, you will need to extract the add-on from the Splunk ES package and install/configure it across your indexers (cluster) and the forwarder running TMCM.
In TMCM you need to configure the alerts you are interested in to write an event in the Application Windows Event Log. TMCM events will be processed by TA-trendmicro, assigning sourcetypes, tags, extracting fields etc. so they become available to the ES Data Models.
I got the data into Splunk, properly tagged, sourcetype and all. However I don't find the data in ES ? Did you ? What more is needed ?
Thanks,
JohMut
... View more