topic Re: Monitoring Trellix log in Splunk Enterprise

Monitoring Trellix log

sswigart — Mon, 28 Jul 2025 22:18:21 GMT

I have a requirement to monitor log files created by Trellix on my windows 11 and 2019 hosts.

The log files are located at C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log

\ExploitPrevention_Activity.log

\OnDemandScan_Activity.log

\SelfProtection_Activity.log

My stanza in the input.conf are configured as:

[monitor://C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log

disabled = 0

index = winlogs

sourcetype = WinEventLog:HIPS

start_from = oldest

current_only = 0

checkpointInterval = 5

renderXel = false

Same format for each log.

For some reason Splunk is not ingesting the log data.

Re: Monitoring Trellix log

livehybrid — Mon, 28 Jul 2025 22:46:30 GMT

Hi @sswigart

Please can you confirm if you can see the _internal events for the hosts which are monitoring those files?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Monitoring Trellix log

sswigart — Tue, 29 Jul 2025 14:08:13 GMT

Sir,

When I do a query (index=_internal) looking for records from any of the logs, there are no results.

Re: Monitoring Trellix log

PickleRick — Tue, 29 Jul 2025 16:30:10 GMT

No, the question wasn't for the logs from the Trellix solution. The question is whether you're geting any Splunk forwarder's own events into your _internal index from the hosts from which you will also want to pull Trellix events.

Also - where and how are you putting those inputs.conf settings?

Re: Monitoring Trellix log

livehybrid — Tue, 29 Jul 2025 21:37:51 GMT

Apologies if I wasnt previously clear - the purpose of the check in the _internal index is to check that your forwarder is successfully sending its own internal logs to your indexer(s) - this allows us to establish if the cause is due to a forwarding issue from the forwarder, or a problem reading in the data.

Do you see your forwarder host sending *any* logs (not specific to Trellix) in the _internal index?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Monitoring Trellix log

sswigart — Mon, 04 Aug 2025 21:06:27 GMT

I am getting records from 5 or more .log s .

Re: Monitoring Trellix log

sswigart — Mon, 04 Aug 2025 21:13:10 GMT

I am using the Splunk Add-on for Microsoft Windows.

The inputs.conf files on the hosts are located in:

C:\SplunkUF\etc\apps\Splunk_TA_windows\local\inputs.conf