We're trying to configure the SplunkforSymantec app v1.03.
I've put the regular app in place and copied TA-sepapp12/ to $SPLUNK_HOME/etc/apps. We're configuring this to listen via a UDP port in TA-sepapp12/local/inputs.conf using a modified copy of TA-sepapp12/default/inputs.conf.local. Where I'm confused is what to set the sourcetype for the inputs.conf entry.
The comments in the inputs.conf.local file say:
## A default listener
#[udp:516]
#sourcetype=sep
# Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything
# searchable with sourectype of sep is an error
saying I should just set "sourcetype=sep", but then the SplunkforSymantec/README file says the following
#### Configuring the TA ####
Data can be received via syslog or by monitoring the SEP log files on the SEP Manager. To receive data over syslog, manually set the sourcetype for the associated data input to either 'sep11:log' or 'sep12:log'. To monitor the files directly, you should install a Splunk Universal Forwarder on your management console. You'll need to set the log file location in the inputs.conf file and enable the associated file inputs. An example inputs.conf file is provided for you in the apps default directory. It's called inputs.conf.local. The default path in inputs.conf assumes that the SEP Manager is installed in C:\Program Files\Symantec\Symantec Endpoint Protection Manager. Edit this path to the actual location of the SEP Manager if necessary.
which seems to say that I should configure it to be "sourcetype=sep12:log".
Which one of these is correct for a sourcetype setting, "sep" or "sep12:log" if I'm reading the data via UDP for SEP 12?
Thanks
