I've installed the TA for Symantec Endpoint Protection (syslog), but there is no documentation on it, so can anyone please tell me how to use it?
SEP sends logs to my Splunk instance via syslog (TCP/1514).
Thank you!
Hello! Best to install the Add-On both on the Search Head and the Indexer (and Heavy Forwarders if you use them)
Hey,
HOw did you set sourcetypes for this TA for SEP?? what did you set?? and where?
Hello!
Set your sourcetype to symantec:ep:syslog and you should be ready to go.
I will add this to the documentation.
Hi I installed TA for SEP on heavy forwarder to SPLUNK_HOME/etc/apps and changed sourcetype to symantec:ep:syslog in inputs.conf. but I dont see sourcetypes generating on my serach head..
I have SEP version 14. Please help me out.
Do i need to install the app anywhere else?? like on Deployment Client or search head??
Hello!
This is a Technology Addon (TA), so this means it only holds field extractions and other input related data.
But the TA is CIM compliant, and that means it can be used from any CIM compliant reporting app, such as Enterprise Security, the App for PCI, etcetera. The app you refer to (App for Symantec) is older, and is not CIM compliant, so will not work together with this TA.
Of course, you can always create your own queries as well,
regards,
Michel.
Thank you, to start with I began using the queries that came with the TA, and modified slightly.
Still need to add queries for hostname, user, etc.
I just installed this TA; extractions working just fine.
What app should I use for queries and reporting? The current app, https://splunkbase.splunk.com/app/1365/#/overview, does not work.
Assuming there is none, has anyone modified this app, or built similar queries?
Thank you