FireEye EX and NX appliances are configured to send events (CEF, TCP syslog) to a Heavy Forwarder, then on to a pair of clustered Indexers.
I installed FE TA Add-on onto the HF, and FE TA Add-on onto the Indexers (via Cluster Master using 'apply cluster-bundle').
I also installed FE App onto the Search Head.
I'm using a custom index for FE events, so I customised eventtypes.conf, props.conf and transforms.conf on HF, Indexers and SH, together with an appropriate stanza in inputs.conf on the HF.
All seems to work well, except that every FE event is duplicated in the index (two identical events) - checked in the Search App.
Should I have not installed FE Add-on onto the Indexers? Or is there another explanation?
↧