All Apps and Add-ons

How to use the TA for Symantec Endpoint Protection (syslog)?

ibondarets
Explorer

I've installed the TA for Symantec Endpoint Protection (syslog), but there is no documentation on it, so can anyone please tell me how to use it?

SEP sends logs to my Splunk instance via syslog (TCP/1514).

Thank you!

0 Karma

moosterhof_splu
Splunk Employee
Splunk Employee

Hello! Best to install the Add-On both on the Search Head and the Indexer (and Heavy Forwarders if you use them)

0 Karma

sridhar2901
New Member

Hey,

HOw did you set sourcetypes for this TA for SEP?? what did you set?? and where?

0 Karma

moosterhof_splu
Splunk Employee
Splunk Employee

Hello!
Set your sourcetype to symantec:ep:syslog and you should be ready to go.

I will add this to the documentation.

sridhar2901
New Member

Hi I installed TA for SEP on heavy forwarder to SPLUNK_HOME/etc/apps and changed sourcetype to symantec:ep:syslog in inputs.conf. but I dont see sourcetypes generating on my serach head..

I have SEP version 14. Please help me out.

Do i need to install the app anywhere else?? like on Deployment Client or search head??

0 Karma

moosterhof_splu
Splunk Employee
Splunk Employee

Hello!

This is a Technology Addon (TA), so this means it only holds field extractions and other input related data.

But the TA is CIM compliant, and that means it can be used from any CIM compliant reporting app, such as Enterprise Security, the App for PCI, etcetera. The app you refer to (App for Symantec) is older, and is not CIM compliant, so will not work together with this TA.

Of course, you can always create your own queries as well,

regards,

Michel.

0 Karma

nychawk
Communicator

Thank you, to start with I began using the queries that came with the TA, and modified slightly.
Still need to add queries for hostname, user, etc.

0 Karma

nychawk
Communicator

I just installed this TA; extractions working just fine.

What app should I use for queries and reporting? The current app, https://splunkbase.splunk.com/app/1365/#/overview, does not work.

Assuming there is none, has anyone modified this app, or built similar queries?

Thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...