All Apps and Add-ons

Splunk Add-on for Symantec Endpoint Protection 2.0.1: Why can't I find SEP data on my Splunk Server?

aelzain
Engager

Hi,

I am new to Splunk and now am using using splunk 6.2 on Linux. A few days ago, I configured SEP to forward all Events (Client, System, Agents, etc.)

From the Splunk side, I've downloaded and added the Splunk Add-on for Symantec Endpoint Protection 2.0.1.

All network access are OK, and tested, but I don't know if the logs were sent from SEP or not or where and how to find it. I'm totally naive to SPLUNK. I have followed configuration steps, but I didn't find the logs on "$SEPM_HOME/data/dump"

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

The list of possible problems is myriad... I'll assume it isn't sophons. Let's start with determining if it's a Splunk problem:

index=_internal

That search will show you all of Splunk's own logs. Most likely you'll see your own searches, your login to the system, and some housekeeping messages. Add "ERROR" to the search, and you'll see any problems.

If you don't see anything like "I am receiving your logs and throwing them on the floor because they're smelly", then it's probably not a Splunk problem. My guess is that you're trying to open a syslog port that the OS or its firewall isn't going to allow. Try using a port number over 1024 and allowing it through your firewall.

View solution in original post

0 Karma

jwalzerpitt
Influencer

On your SEP server, your logs should be in the following directory:

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

The list of possible problems is myriad... I'll assume it isn't sophons. Let's start with determining if it's a Splunk problem:

index=_internal

That search will show you all of Splunk's own logs. Most likely you'll see your own searches, your login to the system, and some housekeeping messages. Add "ERROR" to the search, and you'll see any problems.

If you don't see anything like "I am receiving your logs and throwing them on the floor because they're smelly", then it's probably not a Splunk problem. My guess is that you're trying to open a syslog port that the OS or its firewall isn't going to allow. Try using a port number over 1024 and allowing it through your firewall.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...