Hi Folks, I am working with Symantec and am having a problem where the TA's field extractions are not working.
2018-10-31T09:39:35-05:00 XXXXXXXXX SymantecServer: YYYYYYYYY,SHA-256: ,MD-5: ,Local: 111.111.11.111,Local: 2,Local: 3417EBD1F04F,Remote: 222.222.222.252,Remote: ,Remote: 0,Remote: 01005E0000FC,8,Outbound,Begin: 2018-10-31 08:08:13,End: 2018-10-31 08:08:13,Occurrences: 1,Application: ,Rule: Allow IGMP traffic,Location: Default,User: user,Domain: BLAH.COM,Action: Allowed
The fields Application_Name, Begin_Time, End_Time, Local_Host_MAC, Network_Protocol, Remote_Host_IP, Remote_Host_Name, Remote_Port are not parsing correctly.
My input's sourcetype is set to Symantec:ep:syslog.
Any suggestions?
Thx
Andrew