Hello Splunk Techies !!
I need guidance in integrating Symantec Add and Add on with Splunk. I have managed to get those apps in the splunkbase, what is surprisingly confusing is the documentation and installation that is required for these apps.
Symantec Add-on: https://splunkbase.splunk.com/app/2772/#/details
In the Add-on details section, there is link to the splunk documentation. I have followed those instruction and installed the Add-on on Cluster Search Heads and also on the Enterprise Search Head.
Symantec App: https://splunkbase.splunk.com/app/1365/#/details
Whereas, in the App details section, under installation stanza it is mentioned that Add-on is already available under appserver directory.
What I don't understand is which Add-on to use and what instructions to follow for the successful integration of the both App and Add-on.
I have made progress by configuring the Symantec to forward the syslogs to Heavy forwarder and assign index = symantec and sourcetype= sep12:log.
I will share how I deployed the App and Add-on separately to make it simple to understand and debug.
Downloaded the Symantec App and Add-on from the splunkbase.
I'm currently stuck on what Add-on has to be chosen whether the one that is given along with the App or the Add-on that is available on Splunkbase.
Is there any necessity to install both App and Add-on or just Add-on is sufficient ? Are there any steps I can follow apart from Splunk Documentation.
Thanks.
I was able to resolve this issue. Steps which I have followed is I haven't the Add-on provided by Splunk. I used the add-on TA-sepapp11 under the Symantec Splunk App itself.
> After downloading the app and going through the set up process, you still need to install either the Symantec 11 Technology Add-on or Symantec 12 Technology Add-on. If you are currently running both products, you should install both TAs. They are included with this app in the appserver/addons directory. For single server Splunk instances, the TAs will be on the same server as the app. For distributed Splunk instances, the TAs just needs to go on the indexers and the app just goes on the search heads.
In my case, it was symantec version 11 so, I copied TA-sepapp11 from the directory path given to the respective paths.
On deployment server: $SPLUNK_HOME/etc/deployment-apps/
On Cluster master: $SPLUNK_HOME/etc/master-apps/
On Search Head deployer: $SPLUNK_HOME/etc/shcluster/apps/
Distribution of the App and Add-on
Enterprise Search Head - Symantec App and Symantec Add-on
Heavy Forwarder - Symantec Add-on
Cluster Search Heads - Symantec Add-on
Indexers - Symantec Add-on
Cluster Master - Symantec Add-on
I was able to resolve this issue. Steps which I have followed is I haven't the Add-on provided by Splunk. I used the add-on TA-sepapp11 under the Symantec Splunk App itself.
> After downloading the app and going through the set up process, you still need to install either the Symantec 11 Technology Add-on or Symantec 12 Technology Add-on. If you are currently running both products, you should install both TAs. They are included with this app in the appserver/addons directory. For single server Splunk instances, the TAs will be on the same server as the app. For distributed Splunk instances, the TAs just needs to go on the indexers and the app just goes on the search heads.
In my case, it was symantec version 11 so, I copied TA-sepapp11 from the directory path given to the respective paths.
On deployment server: $SPLUNK_HOME/etc/deployment-apps/
On Cluster master: $SPLUNK_HOME/etc/master-apps/
On Search Head deployer: $SPLUNK_HOME/etc/shcluster/apps/
Distribution of the App and Add-on
Enterprise Search Head - Symantec App and Symantec Add-on
Heavy Forwarder - Symantec Add-on
Cluster Search Heads - Symantec Add-on
Indexers - Symantec Add-on
Cluster Master - Symantec Add-on
Hi @vgollapudi, what version of Splunk you were using when you deployed this app and add-on successfully ?
Here are some hopefully simpler instructions (this worked for me):
On your windows management server, install UF, and the Splunk add-on: https://splunkbase.splunk.com/app/2772/
On your syslog hvy/uf, add the syslog-TA: https://splunkbase.splunk.com/app/3121/
On that same syslog host, in your inputs.conf, add this: (not the same as the sourcetype you've used)
[monitor:///syslog-servers-logslocation/.log]
index = sep
**sourcetype = symantec:ep:syslog*
disabled = 0
My indexers have: https://splunkbase.splunk.com/app/2772/
My search heads have the app: https://splunkbase.splunk.com/app/1365/ as well as https://splunkbase.splunk.com/app/2772/
HTH, please keep me posted.
-mi
Nychawk, I would like to know did you also deployed app on the Cluster Search Heads too or just on the Enterprise Search Head ?
Hello Nychawk,
Thanks for providing your inputs but sourcetype doesn't work for me. So we just configured to get only one sourcetype and written custom sourcetypes based on data.
Your sourcetype and add-on on indexers are as I suggested?
Yes,
I've custom app which has this configuration for symantec.
[monitor:///opt/splunk/syslog/symantec/.../*.log]
sourcetype = sep12:log
index = symantec
host_segment = 4
disabled = false
I don't have the TA of symantec on the Indexers.
Since, it's already configured in production. I can't modify the configuration.
I appreciate your inputs regarding the add-on.
Regards
Venky
Hi @vgollapudi, did you finally get around this issue ? if yes, please share which add-on did you choose to make the setup work properly. Thanks!
Hi @damode, I fixed the issue. Please check my below comment.
Hi @vgollapudi,
Thanks for sharing your implementation steps. I will give it a try.
No Damode. I just configured and we are getting data but unable to parse that into different sourcetypes.