All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does the Splunk Add-on for Symantec Endpoint Protection work with SEPM 12.x logs collected via Syslog?

klaxdal
Contributor
‎06-30-2015 04:07 AM

Hi I am currently acquiring SEPM logs via syslog and utilizing the old Symantec app . I noticed in the documentation that log dump files are required . Will the app work with syslog output ?

Reply
1 Solution
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎07-08-2015 09:52 AM

knowledge management is applied to the sourcetype. If the data in your syslog stream is structured the same as in the dump files, then applying the same sourcetype should make it work.

View solution in original post

Reply
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎07-08-2015 09:52 AM

knowledge management is applied to the sourcetype. If the data in your syslog stream is structured the same as in the dump files, then applying the same sourcetype should make it work.

Reply
Solved! Jump to solution

klaxdal
Contributor
‎07-08-2015 10:08 AM

Thanks ! I will give it a try

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎11-12-2015 08:17 AM

What sourcetype needs to be applied?

I am sending Symantec logs via syslog to my Splunk server in which one file per day is written to disk and I have Splunk monitoring the directory. The issues I have are 1) How to configure the inputs.conf file (does every line in the stanza simply point to the same directory?), and 2) What sourcetype do I select to ensure Splunk correctly parses out various Symantec log formats from the one log file

Thx,
Jeff

0 Karma
Reply
Solved! Jump to solution

jorgepinto1
Explorer
‎07-13-2015 02:33 PM

The structure of the logs is different from those written on disk. Also, anyone know any expedite way to rotate the logs written on disk by SEP?

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎06-30-2015 11:13 AM

Hi @klaxdal

Just to clarify for other users, but are you referring to the Splunk Add-on for Symantec Endpoint Protection? That's what you tagged in your post, but you mentioned using the "old Symantec app". Were you actually referring to the "Splunk for Symantec" app?
https://splunkbase.splunk.com/app/1365/

0 Karma
Reply
Solved! Jump to solution

klaxdal
Contributor
‎07-01-2015 08:32 AM

Correct - to clarify I am using the old TA's which allow me to retrieve the logs via Syslog . Can I set this up as the same ?

Kris

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top