All Apps and Add-ons

Splunk Add-on for Symantec Endpoint Protection 2.0.1: How to configure field extractions in the proper format from SEP EP logs?

daviddavies_civ
New Member

I'm having a little bit of a problem with the fields not being correctly formatted from the SEP EP logs and would really appreciate a little help & guidance.

Here is a brief environment summary:

  • Search head & indexer running Splunk Enterprise 6.2.6
  • SEP Management Server configured to export logs to dump files
  • Splunk Forwarder 6.2.6-274160 installed on the SEP Management Server

Here is a summary of what I have done:

  • Installed Splunk Add-on for Symantec Endpoint Protection 2.0.1 on the search head
  • Moved Splunk_TA_symantec-ep from apps to deployment-apps
  • Created an index on the indexer called symantecep
  • Inputs configured in the deployment app as recommended, defining the monitor index as symantecep, .e.g.:

    [monitor://C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
    index = symantecep
    sourcetype = symantec:ep:admin:file
    disabled = 0

  • App successfully deployed to the SEP client via a server class

  • The logs are appearing on the search head in the index specified but the fields are not being extracted.

I have attached screenshots of how the search results appear in the search head.

My assumption is that the app runs on the forwarder which collects the information, assigns source types, carries out field extraction, and then forwards them to the indexer, so please correct me if that's wrong.

Many Thanks,
David

alt text
alt text

0 Karma
1 Solution

mreynov_splunk
Splunk Employee
Splunk Employee

Sourcetypes are assigned at index time, so the app should be installed on the indexer as well.

by SEP client, do you mean SEP Manager?

View solution in original post

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

Sourcetypes are assigned at index time, so the app should be installed on the indexer as well.

by SEP client, do you mean SEP Manager?

View solution in original post

0 Karma

daviddavies_civ
New Member

Thank you for taking a look at my little SEP problem.

I'll deploy the app to the indexer in the morning and give that a go. That does makes sense as it's the indexer that's processing the logs with the search head then going through it. I'm still relatively new to Splunk so I'm learning as I'm going along.

And yes, I meant the SEP Manager. I was referring to it being a forwarder so a client in the eyes of Splunk.

Thanks again and hopefully I'll come back tomorrow with good news.

0 Karma

daviddavies_civ
New Member

Installing the app on the forwarder and the search head in the end resolved the problem, which was largely down to me not fully appreciating that an app has multiple components.

I have also deployed it back to the indexer for completeness.

Thank you for your help!

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

Great to hear! Keep on Splunking!

0 Karma

daviddavies_civ
New Member

I'm afraid that's not fixed the issue.

The app has been successfully deployed to the indexer but the logs still appear as they did in the original screenshots.

Any suggestions on where I should look for troubleshooting?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!