All Apps and Add-ons

Splunk Add-on for Symantec Endpoint Protection stopped working when updating to Symantec Endpoint Protection v14

flynhi66
New Member

We have a dashboard created using the add-on above in subject that worked fine until we upgraded SEP to SEP v14. I noticed that the index (Symantec) used is not being logged to. Updated SEP of the version 14 server to log to syslog and now see those entries coming in from the SEPM v.14 host as syslog.

Not sure what needs to change (clear that host is logging to splunk but data is not being transformed and not being logged to symantec index.

Looking to see if this should work on SEP14 and if so, how to modify so that queries used for panels in dashboard work.

Thanks!

0 Karma

mxg142
Explorer

I believe the following Post may have the correct fix to this problem: https://answers.splunk.com/answers/745774/sep-142-ru1-log-format-change.html

0 Karma

ageld
Path Finder

Does Splunk Add-on for Symantec Endpoint Protection work on version 7.0?

I am facing the same issue as flynhi66. We have been using "TA for Symantec Endpoint Protection ". After we upgraded to version 14 of SEP, field extraction stopped working for "symantec:ep:risk:syslog" sourcetype. However, it still works for "symantec:ep:agt:system:syslog", symantec:ep:behavior:syslog, and "symantec:ep:scan:syslog" sourcetypes.

Unfortunately, I could not find where the problem can be fixed. Not a single field for that sourcetype is being extracted. I will greatly appreciate any help regarding this matter.

Thank you.

mxg142
Explorer

This is frustrating. Its now December 2019 and the version 3.0.0 of Symantec Add-On still has not fixed the field extractions of SEP v14 events.

0 Karma

mxg142
Explorer
0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

What version of the Add-on are you using. There is apparently a new add-on which is intended to replace TA-sep and TA-sav. It is actually intended to run side-by-side with the older add-ons, so there is no migration required. The docs indicate that it supports Symantec Endpoint Protection version 12.x and later.

This could be your issue.

https://splunkbase.splunk.com/app/2772/

0 Karma

sridhar2901
New Member

Hey I installed TA for SEP on my heavy forwarder and changed my sourcetype to symantec:ep:syslog in inputs.conf, But I dont see any sourcetypes generating on my searchhead . Please help me out.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...