I have been fighting this for a few days now without any luck. I started with the syslog forwarding from my SEPM. The data is getting to my Splunk server, so part one is functioning, however, the Symantec app tells me there are no results. As a test, I then moved to the universal forwarder, having it installed on the SEPM and dumping the logs to a local file. This also makes it so the data gets into my Splunk server, but again, no data can be searched.
I am currently just testing to see what benefit splunk adds, but unfortunately I am not able to review any of the data because either the app is broken, or the data is not being indexed correctly to get displayed. Any help is appreciated. I have looked through a number of other threads, but they all seem pretty vague and do not solve my issue.
thanks
I'm sorry you are having difficulties with it.
First, which version did you install? There's a version here that may be old - it claims Splunk 6.0 compatibility in the text, but not actually in the tags. There's another one here which seems much better documented and claims actual 6.3 compatibility.
I'd recommend the latter because of the docs: they lay out the installation process here. Give that a try. These sorts of things can be a bit overwhelming the first time you do them, but I'm sure we can help you through this. If you get stuck, add a comment here with what you've tried, what's worked so far and where you are stuck and someone will probably try to help out some.
If you are familiar with IRC, you may have some luck asking in the Splunk IRC channel. Be kind, we're just mostly other customers/clients who help out with problems when we get a chance, and the best chance of help is during the "normal U.S. working day" because that's when the channel is most populated.
OK, so I started over, so as to make sure I didnt have something screwed up.
I installed just the one plug-in 2.0.1and enabled the universal forwarder on my management server. The issue with this plugin is that it has no GUI and it is not visible by default. The other noted plugin has an interface page and is visible up install. Therefore, my only thought is that I need both, but thats how I had it before when I was not seeing any data.