All Apps and Add-ons

Need help with integration of Symantec App with Splunk

vgollapudi
Communicator

Hello Splunk Techies !!

I need guidance in integrating Symantec Add and Add on with Splunk. I have managed to get those apps in the splunkbase, what is surprisingly confusing is the documentation and installation that is required for these apps.

Symantec Add-on: https://splunkbase.splunk.com/app/2772/#/details

In the Add-on details section, there is link to the splunk documentation. I have followed those instruction and installed the Add-on on Cluster Search Heads and also on the Enterprise Search Head.

Symantec App: https://splunkbase.splunk.com/app/1365/#/details

Whereas, in the App details section, under installation stanza it is mentioned that Add-on is already available under appserver directory.

What I don't understand is which Add-on to use and what instructions to follow for the successful integration of the both App and Add-on.

I have made progress by configuring the Symantec to forward the syslogs to Heavy forwarder and assign index = symantec and sourcetype= sep12:log.

I will share how I deployed the App and Add-on separately to make it simple to understand and debug.

Downloaded the Symantec App and Add-on from the splunkbase.

  1. Installed Symantec App through Splunk UI on Enterprise Search Head.
  2. Manually copied the Add-on and App to Search Head Deployer, deployed these two apps to Cluster Search Heads (Followed the documentation to deploy only Add-on given by Splunk). Also, there was a add-ons directory that was given under appserver directory in SplunkforSymantec App which I have removed before deploying to Cluster Search Heads.
  3. Next, copied only Add-on file to Deployment server and deployed on to Enterprise Search Head.

I'm currently stuck on what Add-on has to be chosen whether the one that is given along with the App or the Add-on that is available on Splunkbase.

Is there any necessity to install both App and Add-on or just Add-on is sufficient ? Are there any steps I can follow apart from Splunk Documentation.

Thanks.

0 Karma
1 Solution

vgollapudi
Communicator

I was able to resolve this issue. Steps which I have followed is I haven't the Add-on provided by Splunk. I used the add-on TA-sepapp11 under the Symantec Splunk App itself.

> After downloading the app and going through the set up process, you still need to install either the Symantec 11 Technology Add-on or Symantec 12 Technology Add-on. If you are currently running both products, you should install both TAs. They are included with this app in the appserver/addons directory. For single server Splunk instances, the TAs will be on the same server as the app. For distributed Splunk instances, the TAs just needs to go on the indexers and the app just goes on the search heads.

In my case, it was symantec version 11 so, I copied TA-sepapp11 from the directory path given to the respective paths.

On deployment server: $SPLUNK_HOME/etc/deployment-apps/

On Cluster master: $SPLUNK_HOME/etc/master-apps/

On Search Head deployer: $SPLUNK_HOME/etc/shcluster/apps/

Distribution of the App and Add-on

Enterprise Search Head - Symantec App and Symantec Add-on

Heavy Forwarder - Symantec Add-on

Cluster Search Heads - Symantec Add-on

Indexers - Symantec Add-on

Cluster Master - Symantec Add-on

View solution in original post

vgollapudi
Communicator

I was able to resolve this issue. Steps which I have followed is I haven't the Add-on provided by Splunk. I used the add-on TA-sepapp11 under the Symantec Splunk App itself.

> After downloading the app and going through the set up process, you still need to install either the Symantec 11 Technology Add-on or Symantec 12 Technology Add-on. If you are currently running both products, you should install both TAs. They are included with this app in the appserver/addons directory. For single server Splunk instances, the TAs will be on the same server as the app. For distributed Splunk instances, the TAs just needs to go on the indexers and the app just goes on the search heads.

In my case, it was symantec version 11 so, I copied TA-sepapp11 from the directory path given to the respective paths.

On deployment server: $SPLUNK_HOME/etc/deployment-apps/

On Cluster master: $SPLUNK_HOME/etc/master-apps/

On Search Head deployer: $SPLUNK_HOME/etc/shcluster/apps/

Distribution of the App and Add-on

Enterprise Search Head - Symantec App and Symantec Add-on

Heavy Forwarder - Symantec Add-on

Cluster Search Heads - Symantec Add-on

Indexers - Symantec Add-on

Cluster Master - Symantec Add-on

damode
Motivator

Hi @vgollapudi, what version of Splunk you were using when you deployed this app and add-on successfully ?

0 Karma

nychawk
Communicator

Here are some hopefully simpler instructions (this worked for me):

  1. On your windows management server, install UF, and the Splunk add-on: https://splunkbase.splunk.com/app/2772/

  2. On your syslog hvy/uf, add the syslog-TA: https://splunkbase.splunk.com/app/3121/
    On that same syslog host, in your inputs.conf, add this: (not the same as the sourcetype you've used)

[monitor:///syslog-servers-logslocation/.log]
index = sep
**sourcetype = symantec:ep:syslog
*
disabled = 0

  1. My indexers have: https://splunkbase.splunk.com/app/2772/

  2. My search heads have the app: https://splunkbase.splunk.com/app/1365/ as well as https://splunkbase.splunk.com/app/2772/

HTH, please keep me posted.

-mi

0 Karma

vgollapudi
Communicator

Nychawk, I would like to know did you also deployed app on the Cluster Search Heads too or just on the Enterprise Search Head ?

0 Karma

vgollapudi
Communicator

Hello Nychawk,

Thanks for providing your inputs but sourcetype doesn't work for me. So we just configured to get only one sourcetype and written custom sourcetypes based on data.

0 Karma

nychawk
Communicator

Your sourcetype and add-on on indexers are as I suggested?

0 Karma

vgollapudi
Communicator

Yes,

I've custom app which has this configuration for symantec.

[monitor:///opt/splunk/syslog/symantec/.../*.log]
sourcetype = sep12:log
index = symantec
host_segment = 4
disabled = false

I don't have the TA of symantec on the Indexers.

Since, it's already configured in production. I can't modify the configuration.

I appreciate your inputs regarding the add-on.

Regards
Venky

0 Karma

damode
Motivator

Hi @vgollapudi, did you finally get around this issue ? if yes, please share which add-on did you choose to make the setup work properly. Thanks!

0 Karma

vgollapudi
Communicator

Hi @damode, I fixed the issue. Please check my below comment.

0 Karma

damode
Motivator

Hi @vgollapudi,

Thanks for sharing your implementation steps. I will give it a try.

0 Karma

vgollapudi
Communicator

No Damode. I just configured and we are getting data but unable to parse that into different sourcetypes.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...