topic Re: Splunk Add-on for Symantec Endpoint Protection 2.0.1: How to configure field extractions in the proper format from SEP EP logs? in All Apps and Add-ons

Splunk Add-on for Symantec Endpoint Protection 2.0.1: How to configure field extractions in the proper format from SEP EP logs?

daviddavies_civ — Tue, 29 Sep 2020 07:28:58 GMT

I'm having a little bit of a problem with the fields not being correctly formatted from the SEP EP logs and would really appreciate a little help & guidance.

Here is a brief environment summary:

Search head & indexer running Splunk Enterprise 6.2.6
SEP Management Server configured to export logs to dump files
Splunk Forwarder 6.2.6-274160 installed on the SEP Management Server

Here is a summary of what I have done:

Installed Splunk Add-on for Symantec Endpoint Protection 2.0.1 on the search head
Moved Splunk_TA_symantec-ep from apps to deployment-apps
Created an index on the indexer called symantecep
Inputs configured in the deployment app as recommended, defining the monitor index as symantecep, .e.g.:

[monitor://C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
index = symantecep
sourcetype = symantec:ep:admin:file
disabled = 0
App successfully deployed to the SEP client via a server class
The logs are appearing on the search head in the index specified but the fields are not being extracted.

I have attached screenshots of how the search results appear in the search head.

My assumption is that the app runs on the forwarder which collects the information, assigns source types, carries out field extraction, and then forwards them to the indexer, so please correct me if that's wrong.

Many Thanks,
David

Re: Splunk Add-on for Symantec Endpoint Protection 2.0.1: How to configure field extractions in the proper format from SEP EP logs?

mreynov_splunk — Tue, 06 Oct 2015 21:24:35 GMT

Sourcetypes are assigned at index time, so the app should be installed on the indexer as well.

by SEP client, do you mean SEP Manager?

Re: Splunk Add-on for Symantec Endpoint Protection 2.0.1: How to configure field extractions in the proper format from SEP EP logs?

daviddavies_civ — Tue, 06 Oct 2015 22:31:47 GMT

Thank you for taking a look at my little SEP problem.

I'll deploy the app to the indexer in the morning and give that a go. That does makes sense as it's the indexer that's processing the logs with the search head then going through it. I'm still relatively new to Splunk so I'm learning as I'm going along.

And yes, I meant the SEP Manager. I was referring to it being a forwarder so a client in the eyes of Splunk.

Thanks again and hopefully I'll come back tomorrow with good news.

Re: Splunk Add-on for Symantec Endpoint Protection 2.0.1: How to configure field extractions in the proper format from SEP EP logs?

daviddavies_civ — Wed, 07 Oct 2015 09:15:40 GMT

I'm afraid that's not fixed the issue.

The app has been successfully deployed to the indexer but the logs still appear as they did in the original screenshots.

Any suggestions on where I should look for troubleshooting?

Re: Splunk Add-on for Symantec Endpoint Protection 2.0.1: How to configure field extractions in the proper format from SEP EP logs?

daviddavies_civ — Wed, 07 Oct 2015 16:01:24 GMT

Installing the app on the forwarder and the search head in the end resolved the problem, which was largely down to me not fully appreciating that an app has multiple components.

I have also deployed it back to the indexer for completeness.

Thank you for your help!

Re: Splunk Add-on for Symantec Endpoint Protection 2.0.1: How to configure field extractions in the proper format from SEP EP logs?

mreynov_splunk — Wed, 07 Oct 2015 23:20:06 GMT

Great to hear! Keep on Splunking!