All Apps and Add-ons

Is there a splunk agent for Symantec Protection Engine?

vrattlesnake
Engager

Would like to know if theres a splunk agent for Symantec Protection Engine. If not, what are the options to get the events to Splunk? SPE does not have an option to fwd the syslogs by itself.

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

According to a quick google search, SPE does have the ability to send syslog.
Configure centralized collection of Protection Engine logs using syslog server, published May 15th, 2018.

If you can find, beg or borrow a *nix box to use as the syslog machine and install a Universal Forwarder on it to send the data to Splunk, this is easy and you'd just point SPE's syslog output there. Symantec recommends rsyslog, so I guess Symantec is filled with sadists. But that's OK, it takes all kinds to make the world go around.... Use either syslog-ng (which would be my recommendation if you aren't an rsyslog expert already), or maybe check those docs linked to out and if it really does tell you just how to do it with rsyslog, use their instructions.

If you can't find anything but Windows, did I mention that a tiny - 1 core, 2GB of RAM Ubuntu VM would likely be plenty to do this? You MIGHT need 2 cores and maybe even up to 4 GB of RAM, but I really doubt it... But if you have to do Windows, Kiwi syslog daemon has a free version that some folks have used before and which seemed to work well enough at lower loads.

Of course, what the data looks like and how to get it to parse properly, and the extractions you need - well, that's both a different adventure and a different question!

Happy Splunking!

-Rich

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

According to a quick google search, SPE does have the ability to send syslog.
Configure centralized collection of Protection Engine logs using syslog server, published May 15th, 2018.

If you can find, beg or borrow a *nix box to use as the syslog machine and install a Universal Forwarder on it to send the data to Splunk, this is easy and you'd just point SPE's syslog output there. Symantec recommends rsyslog, so I guess Symantec is filled with sadists. But that's OK, it takes all kinds to make the world go around.... Use either syslog-ng (which would be my recommendation if you aren't an rsyslog expert already), or maybe check those docs linked to out and if it really does tell you just how to do it with rsyslog, use their instructions.

If you can't find anything but Windows, did I mention that a tiny - 1 core, 2GB of RAM Ubuntu VM would likely be plenty to do this? You MIGHT need 2 cores and maybe even up to 4 GB of RAM, but I really doubt it... But if you have to do Windows, Kiwi syslog daemon has a free version that some folks have used before and which seemed to work well enough at lower loads.

Of course, what the data looks like and how to get it to parse properly, and the extractions you need - well, that's both a different adventure and a different question!

Happy Splunking!

-Rich

View solution in original post

0 Karma

vrattlesnake
Engager

Thanks Rich.

I did look at the doc, it basically says use rsyslog and forward it to Splunk. I cannot afford a new machine for this. So i guess theres no splunk agent for this and i should use rsyslog or some other log forwarded.

0 Karma

vrattlesnake
Engager

How about pulling the logs from Splunk instead of sending them from SPE using a third party tool? I know it is possible using QRadar, not sure how it works on Splunk. Any thoughts there?

0 Karma

Richfez
SplunkTrust
SplunkTrust

(Read to the end! I have another idea to look into I thought of!)

If there's a third party tool, I think that's fine. Assuming of course that it's a tool that officially has support from someone, has had a history of good support, and that doesn't overcomplicate the path the data takes. Also, the method by which it makes data suitable for ingestion into Splunk should be a well supported way, which most likely means that if it's not a "Splunk created application" then it needs to write files to disk in some standard format that Splunk can read, parse and ingest properly - CSV and JSON seem to both be popular.

Indeed, when such things exist I think they can be great. Mostly these are Splunk apps, though, that leverage an API the device/software manufacturer provides and snag data that way. (Cisco eStreamer, etc...) There are also semi-generic API pulling apps for Splunk, I haven't used those for anything but a few toy things so I don't know how they really work for production, but if SPE has a properly done, complete API that fits into the mold that one of those API-talking apps can use, you could also do that.

Or even if you are a Python, shell or other script-style writing expert and that API is complete and easy enough, you could also write your own script to pull data from that API and drop it into files that Splunk can pick up. I've done that - it ended up pulling JSON from an API and dropping that into files that Splunk happily picked up.

OR.

So, IIRC we toyed with pulling Symantec Endpoint Protection logs via DB Connect at $job-1. I don't think we ever did, but we DID use DB Connect for other things we'd pull from various databases. The idea being that if there's a reasonably well formed DB behind the scenes for SPE, and you can talk to it's DB directly, then you could just write a bunch of SQL and pull that data that way.

0 Karma

vrattlesnake
Engager

thank you.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Right, there's no "agent" as you would like. Instead they relied on the well proven 30 year old standard syslog protocol.

But again - you don't need a new machine! If you are running Linux for your Splunk server, just install syslog-ng or rsyslog on it directly, configure it to listen on the network, then tell your SPE machine(s) to syslog to it. Then from Splunk, just pick the files that syslog creates directly from disk.

If your Splunk server is Windows, well you could try Kiwi syslog daemon, the free version. It tends to work well enough for low to moderate volume syslog. Or download Virtual Box and spin up a small Ubuntu box, install syslog-ng/rsyslog on that and the Splunk UF, and use it to forward that to the Splunk host.

If you really don't have enough experience with virtual machines, then ... well, first - I think it might be a great career move to become more familiar with it. But also, in any case an old desktop would be way more power than you need - again just install one of the 50 free and popular linux distributions like CentOS or Ubuntu and go to town.

It's not really a big deal, it's not hard to set one of these up (though it's certainly going to take a little bit of head scratching at times, and you'll need to use Google a lot), they're reliable and work well, and you can do it. We believe in you.

0 Karma