We have a dashboard created using the add-on above in subject that worked fine until we upgraded SEP to SEP v14. I noticed that the index (Symantec) used is not being logged to. Updated SEP of the version 14 server to log to syslog and now see those entries coming in from the SEPM v.14 host as syslog.
Not sure what needs to change (clear that host is logging to splunk but data is not being transformed and not being logged to symantec index.
Looking to see if this should work on SEP14 and if so, how to modify so that queries used for panels in dashboard work.
Does Splunk Add-on for Symantec Endpoint Protection work on version 7.0?
I am facing the same issue as flynhi66. We have been using "TA for Symantec Endpoint Protection ". After we upgraded to version 14 of SEP, field extraction stopped working for "symantec:ep:risk:syslog" sourcetype. However, it still works for "symantec:ep:agt:system:syslog", symantec:ep:behavior:syslog, and "symantec:ep:scan:syslog" sourcetypes.
Unfortunately, I could not find where the problem can be fixed. Not a single field for that sourcetype is being extracted. I will greatly appreciate any help regarding this matter.
What version of the Add-on are you using. There is apparently a new add-on which is intended to replace TA-sep and TA-sav. It is actually intended to run side-by-side with the older add-ons, so there is no migration required. The docs indicate that it supports Symantec Endpoint Protection version 12.x and later.
This could be your issue.
Hey I installed TA for SEP on my heavy forwarder and changed my sourcetype to symantec:ep:syslog in inputs.conf, But I dont see any sourcetypes generating on my searchhead . Please help me out.