All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trend Micro Deep Security sourcetypes not being rewritten into Splunk cluster

Gil_Heron
New Member
‎02-05-2020 03:50 PM

I install Trend Micro Deep Security on a standalone test server.
Everything run as expected: inputs.conf set index to av_int_deepsecurity and sourcetype to deepsecurity.
Then props.conf and transforms.conf rewrite the sourcetype to deepsecurity-firewall, deepsecurity-antimalware, etc.
Searching in the app show events with different sourcetypes: deepsecurity-firewall, deepsecurity-antimalware, etc.

I install Trend Micro Deep Security in a productive cluster
I push the app to Search Heads, Indexers, Forwarders but searching in the app does not show events with different sourcetypes: deepsecurity-firewall, deepsecurity-antimalware, etc. It only shows events with sourcetype deepsecurity.

Test standalone server is working fine. Productive cluster is not working as expected... What did I do wrong?

Splunk here is 7.1.2

Devices are sending machine data to a server with Syslog-NG that make files. These files are monitored by SplunkForwarder that forwards data to the productive cluster. These files are also copied by a batch job to the test standalone server.

Thank you for your help. I install Trend Micro Deep Security on a standalone test server.
inputs.conf put the data in index av_int_deepsecurity and fix the sourcetype to deepsecurity.
props.conf and transforms.conf rewrite sourcetypes to deepsecurity-firewall, deepsecurity-antimalware, etc.
Searching events from the app, I see deepsecurity-firewall, deepsecurity-antimalware, etc. as expected

Then I install Trend Micro Deep Security in the productive cluster.
Searching events from the app, I see only sourcetype deepsecurity and NOT deepsecurity-firewall, deepsecurity-antimalware, etc. as expected.

I install the app on Search Heads, on Indexers, on Master and on Heavy Forwarders, without success.

What I did wrong?

In standalone test, we copy a file monitored by the standalone server.
In the cluster, devices are forwarding events to a Syslog-NG that put data in a file and this file is monitored by the SplunkForwarder installed on the same server. Data is then sent to the cluster indexers.

We use Splunk 7.1.2.

Thank you for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...