Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: How to configure Splunk For Symantec with a Sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I've just set up the Splunk For Symantec App in my distributed architecture.
On the forwarder, set an inputs.conf listening on port TCP 514 and forwarding data to index Symantec with sourcetype sep12:log
tcp://X.X.X.X:514]
connection_host = ip
index=symantec
sourcetype = sep12:log
disabled = 0
On each indexer (2 indexers)
set the sep12 TA
On my Search Head, installed the app and configured it to read data in index symantec
When I received data from SEPM, the data are indexed in index Symantec with sourcetype sep12:log.
The app is looking for sourcetypes like sep12:agent or sep12:policy Etc ... as they are defined in Props.conf and transform.conf.
I think field extraction is not running as desired.
Has somebody tried to use this app in a distributed environment ?
Thank's a lot.
Olivier.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I finally found the solution:
The stage when the add-on modifies the sourcetype is during the parsing process (through props.conf and transforms.conf).
Détails herre ==> http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Advancedsourcetypeoverrides
My architecture has a universal forwarder and the parsing process is done only on indexers or heavy forwarder. So my universal forwarder sets a sourcetype during he tparsing stage, then forwards data to the indexers that index without any transformations.
The solution in this case is
- install universal forwarder on my Windows SEPM server
- configure SEPM to export logs as files (instead of syslog)
- modify input.conf.local with SEPM install path
Hope that helps.
Olivier
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I finally found the solution:
The stage when the add-on modifies the sourcetype is during the parsing process (through props.conf and transforms.conf).
Détails herre ==> http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Advancedsourcetypeoverrides
My architecture has a universal forwarder and the parsing process is done only on indexers or heavy forwarder. So my universal forwarder sets a sourcetype during he tparsing stage, then forwards data to the indexers that index without any transformations.
The solution in this case is
- install universal forwarder on my Windows SEPM server
- configure SEPM to export logs as files (instead of syslog)
- modify input.conf.local with SEPM install path
Hope that helps.
Olivier
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
