I am working through the Splunk Add-on for Symantec Endpoint Protection install documentation and I have a question about he inputs.conf file. The documentation shows the Symantec log files as being monitored separately:
However, I have our Symantec management server configured to syslog the files to the Splunk server into a directory, configured via rsyslog as follows:
# send all messages from SEP Manager to a specific files**
if $hostname contains 'SymantecServer' then -?Symantec
With that, I have one Symantec log file per day that has the various different Symantec log formats all mixed in.
I assume I can configure the inputs.conf to point all of the lines in the stanza to the same file, but how do ensure that Splunk will be able to parse all the different formats within the same log file to assign the correct sourcetypes - scm_admin, scm_agent, agt_risk, agt_scan, and so on?