All Apps and Add-ons

How to configure and set sourcetype in inputs.conf for Splunk for Symantec?

mfrost8
Builder

We're trying to configure the SplunkforSymantec app v1.03.

I've put the regular app in place and copied TA-sepapp12/ to $SPLUNK_HOME/etc/apps. We're configuring this to listen via a UDP port in TA-sepapp12/local/inputs.conf using a modified copy of TA-sepapp12/default/inputs.conf.local. Where I'm confused is what to set the sourcetype for the inputs.conf entry.

The comments in the inputs.conf.local file say:

## A default listener
#[udp:516]
#sourcetype=sep
# Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything
# searchable with sourectype of sep is an error

saying I should just set "sourcetype=sep", but then the SplunkforSymantec/README file says the following

#### Configuring the TA ####

Data can be received via syslog or by monitoring the SEP log files on the SEP Manager. To receive data over syslog, manually set the sourcetype for the associated data input to either 'sep11:log' or 'sep12:log'. To monitor the files directly, you should install a Splunk Universal Forwarder on your management console. You'll need to set the log file location in the inputs.conf file and enable the associated file inputs. An example inputs.conf file is provided for you in the apps default directory. It's called inputs.conf.local. The default path in inputs.conf assumes that the SEP Manager is installed in C:\Program Files\Symantec\Symantec Endpoint Protection Manager. Edit this path to the actual location of the SEP Manager if necessary.

which seems to say that I should configure it to be "sourcetype=sep12:log".

Which one of these is correct for a sourcetype setting, "sep" or "sep12:log" if I'm reading the data via UDP for SEP 12?

Thanks

0 Karma

kml_uvce
Builder

use sep12:log and check all searches and dashboards are running fine or not and also If you check macros then they are using sourcetype as sep*

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...