FireEye Internals Monitoring

Summary:
FireEye produces 2 types of logs: security event logs (the primary function of FireEye), and internal system logs (Logs about the appliance).  Most users do not use the internal system logs, or are even aware that they are available.  Sometimes, the appliances are configured to send both logs via syslog, and the messages are mixed.  In an attempt to monitor the health of all security appliances, this dashboard was created to monitor the health of FireEye beyond the basic stoplight health that is provided by the vendor.

Use Case:
Understand what is going on with the FireEye appliances, monitor detailed appliance health, and determine when vendor support is needed.  Provide positive confirmation that the system is performing as expected.

Solution:
Configure FireEye to send logs via HTTPS instead of syslog.  This will provide data separation at the ingest pipeline.  Inside the FireEye CLI, turn on syslog logging.  The CLI Syslog setting enables system level logging.  Point this data feed to sourcetype=fireeye.

Dashboard Code:

Share This:
Tagged:

Leave A Comment?