The tag edr.fireeye.alerts identifies log events generated by FireEye Security Solutions.
This technology uses a single tag to support all of the log events generated by FireEye Security Solutions. The tag is simply edr.fireeye.alerts and the associated events are saved in Devo in a table of the same name. For more information, read more about Devo tags.
To set up the sending of FireEye events to your Devo domain:
- Set up the Devo relay rule that applies the tag to the FireEye events.
- Configure event sending from FireEye to the Devo relay.
Other sending methods
Step 1: Set up the Devo relay rule
You'll set up a rule on the relay that will apply the correct tag before forwarding the events to Devo in syslog format.
For complete instructions, see the vendor documentation online.
Create a simple rule on your Devo Relay that applies the edr.fireeye.alerts tag to all events arriving on a specified port. In the example below, we use port 13007 but you should use any port that you can dedicate to these events.
- Source Port → 13007
- Target Tag → edr.fireeye.alerts
- Check the Stop processing and Sent without syslog tag checkboxes.
Step 2: Configure event sending in FireEye
In FireEye, set up a notification rsyslog event type that sends the event data in JSON - Concise format. Then add your Devo Relay as an Rsyslog Server indicating the relay's IP address and the port on which you set up the relay rule in Step 1.
- Go to Settings - Notifications.
- Check the rsyslog Event Type ckeckbox in the Notification Settings grid.
- Click the rsyslog column heading to open the Rsyslog Settings.
Specify the following, then click Apply Settings.
Field Value Default format JSON - Concise Default delivery Per event Default send as Alert
In the Rsyslog Server Listing section, click Add Rsyslog Server, then specify the following:
Field Value Enabled Yes IP Address <DevoRelayIP> Delivery Default Notification All Events Format Default Send as Default Account N/A Protocol TCP
Click Update to save the new Rsyslog server.
To assign the port on the relay to which you are sending events, go to the CLI and enter the following command:
logging <devo_relay_ip_address> port <relay_port>
logging 220.127.116.11 port 13003
At this point the events should be getting sent to the Devo relay where the correct tag is applied before being securely forwarded to your Devo domain.