I installed the universal forwarder on one of my servers (Symantec Endpoint Protection Management Server). I copied in the appropriate TA folder to the apps folder. In there, I copied over the inputs.conf file to the local folder and added my paths.
My application is then dumping the files to the folder and from there the forwarder picks them up. There is just one issue, only some of the files are actually being picked up and sent and i am not understanding why.
The samples are like this:
[monitor://<<path_to_temp_dump_file_directory>>/agt_scan.tmp] sourcetype = symantec:ep:scan:file [monitor://<<path_to_temp_dump_file_directory>>/agt_security.tmp] sourcetype = symantec:ep:security:file
simple enough, except it does not work.
[monitor://d:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp] sourcetype = symantec:ep:scan:file index=symantec disabled = false
picks up the appropriate file and forwards to the indexing server as expected.
However, my security logs do not get sent and I am not sure why.
[monitor://d:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp] sourcetype = symantec:ep:security:file index=symantec disabled = false
The paths are identical except for the file picked up, scan vs security, but the security file is never picked up. I even went as far as disabling the dump logs to only include the security log. I deleted all the logs and started my services over and new files are created. The file is there and has data, but it is not being forwarded as it should.
I even set up a dedicated index for the security data to see if that was my issue, but it has 0 events. I have no idea where the breakdown is. If it is on the indexer or the forwarder, so any help to troubleshoot why this file is not getting into my splunk server is appreciated.
I did enable: category.FileInputTracker=DEBUG
but I have no idea what it is doing for me. None of the latest logs seem to show anything useful as debug logs.