All Apps and Add-ons

Splunk Add-on for Symantec Endpoint Protection: How to troubleshoot why my universal forwarder monitor configuration is not sending all files?

smakovits
Explorer

I installed the universal forwarder on one of my servers (Symantec Endpoint Protection Management Server). I copied in the appropriate TA folder to the apps folder. In there, I copied over the inputs.conf file to the local folder and added my paths.

My application is then dumping the files to the folder and from there the forwarder picks them up. There is just one issue, only some of the files are actually being picked up and sent and i am not understanding why.

The samples are like this:

[monitor://<<path_to_temp_dump_file_directory>>/agt_scan.tmp]
sourcetype = symantec:ep:scan:file
[monitor://<<path_to_temp_dump_file_directory>>/agt_security.tmp]
sourcetype = symantec:ep:security:file

simple enough, except it does not work.

[monitor://d:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
sourcetype = symantec:ep:scan:file
index=symantec
disabled = false

picks up the appropriate file and forwards to the indexing server as expected.

However, my security logs do not get sent and I am not sure why.

[monitor://d:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
sourcetype = symantec:ep:security:file
index=symantec
disabled = false

The paths are identical except for the file picked up, scan vs security, but the security file is never picked up. I even went as far as disabling the dump logs to only include the security log. I deleted all the logs and started my services over and new files are created. The file is there and has data, but it is not being forwarded as it should.

I even set up a dedicated index for the security data to see if that was my issue, but it has 0 events. I have no idea where the breakdown is. If it is on the indexer or the forwarder, so any help to troubleshoot why this file is not getting into my splunk server is appreciated.

I did enable: category.FileInputTracker=DEBUG

but I have no idea what it is doing for me. None of the latest logs seem to show anything useful as debug logs.

Thanks

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

that is sounding like it needs a support ticket... this is a plain old Splunk file monitor, so we should look at some diag files to see what is happening.

0 Karma

tjohnson2
Explorer

Hello smakovits, did you get any traction on this issue. I'm having a similar issue where my logs are only getting sent when I restart the service.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!