All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Symantec Endpoint Protection 12 App

splunkadvantage
New Member
‎10-07-2012 11:39 PM

Hi Splunkers,

We used to have SEP 11 and using the app below works fine with Splunk.

http://splunk-base.splunk.com/answers/43518/symantec-endpoint-protection

After upgrading to SEP 12, the syslog format has been change and the app has become unusable. The fields are no longer recognized, therefore our scheduled reports and dashboards are no longer firing. Does anyone have a SEP 12 app that can be share with the community?

Below are the difference on the SEP 11 and 12 syslog format we've seen.

SEP 11 Syslog Format:

==========================================================================================

Aug 14 08:25:53 10.1.107.21 Aug 14 08:29:25 SymantecServer ORGSEP001: Virus found,Computer name: ORG-USER-NB,Source: Manual Quarantine,Risk name: IRC Trojan,Occurrences: 1,c:\Users\USER\AppData\Local\Temp\VBRF3C.exe,"",Actual action: Left alone,Requested action: Cleaned,Secondary action: Left alone,Event time: 2012-08-14 05:18:10,Inserted: 2012-08-14 05:29:25,End: 2012-08-14 05:18:04,Domain: ORG-COM,Group: My Company\Laptops\WebSence CR100249,Server: ORGSEP001,User: USER,Source computer: ,Source IP: 0.0.0.0

==========================================================================================

Sep 12 Syslog Format:

==========================================================================================

Oct 4 12:28:22 10.1.107.21 Oct 4 12:20:13 SymantecServer ORGSEP001: Virus found,IP Address: 10.100.1.164,Computer name: ORG-USER-PC,Source: Real Time Scan,Risk name: ALS.Kenilfe,Occurrences: 1,C:\Windows\Temp\506caddf.qsp,"",Actual action: Left alone,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2012-10-04 09:01:36,Inserted: 2012-10-04 09:20:13,End: 2012-10-04 09:01:35,Last update time: 2012-10-04 09:20:13,Domain: ORG-COM,Group: My Company\Desktops_SEP_12,Server: ORGSEP002,User: SYSTEM,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,0,Application hash: 97B94A2B0916FB933F9E4BBC9EAB9BB48B5237AB3151993010768249332021D0,Hash type: SHA2,Company name: ,Application name: 506188d3.qsp,Application version: ,Application type: Trojan Worm,File size (bytes): 9922

==========================================================================================

Thanks

Tags (2)
0 Karma
Reply

mux
Explorer
‎01-17-2014 12:23 PM

There is a new app that can be used with Symantec 12, it is called Splunk for Symantec and has sourcetypes for both SEP11 and SEP12.

Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎08-04-2017 04:54 PM

Hey @splunkadvantage, did @mux's suggestion to use the Splunk for Symantec app work for this question? Here is the link https://splunkbase.splunk.com/app/1365/#/details. If so you can accept their answer!

0 Karma
Reply

mrgibbon
Contributor
‎10-21-2012 07:40 PM

I have the same problem. Im actually going through and re-writing the transforms, as this looks like where the issue is.
e.g

Old transform:

[sep_virusfound]

REGEX = .*SymantecServer [^:]+: Virus found,Computer name: (?P[^,]+),Source: (?P[^,]+),Risk name: (?P[^,]+),Occurrences: (?P[\d]+),(?P[^,]+),(?P[^,]+),Actual action: (?P[^,]+),Requested action: (?P[^,]+),Secondary action: (?P[^,]+),Event time: (?P[^,]+),Inserted: (?P[^,]+),End: (?P[^,]+),Domain: (?P[^,]+),Group: (?P[^,]+),Server: (?P[^,]+),User: (?P[^,]+)

My New Transform (still being tested)

[sep_virusfound]

REGEX = .*SymantecServer [^:]+: Virus found,IP Address: (?P[^,]+),Computer name: (?P[^,]+),Source: (?P[^,]+),Risk name: (?P[^,]+),Occurrences: (?P[\d]+),(?P[^,]+),(?P[^,]+),Actual action: (?P[^,]+),Requested action: (?P[^,]+),Secondary action: (?P[^,]+),Event time: (?P[^,]+),Inserted: (?P[^,]+),End: (?P[^,]+),Last update time: (?P[^,]+),Domain: (?P[^,]+),Group: (?P[^,]+),Server: (?P[^,]+),User: (?P[^,]+),Source computer: (?P[^,]+),Source IP: (?P[^,]+),Disposition: (?P[^,]+),Download site: (?P[^,]+),Web domain: (?P[^,]+),Downloaded by: (?P[^,]+),Prevalence: (?P[^,]+),Confidence: (?P[^,]+),URL Tracking Status: (?P[^,]+),First Seen: (?P[^,]+),Sensitivity: (?P[^,]+),Application hash: (?P[^,]+),Hash type: (?P[^,]+),Company name:\s?(?P[^,]+),Application version:\s?(?P[^,]+),Application type: (?P[^,]+),File size \(bytes\): (?P[^,]+)

This covers all the new fields found in the log file lines.
If anyone has already completed this work, please let me know!
Thanks.

0 Karma
Reply

rashid47010
Communicator
‎05-18-2019 12:21 PM

Mr. Gibbon,

when I select the dest filed with sourcetype in pivot for malware datamodel,
the Computer name filed is not being parsed properly for sourcetype=symantec:ep:risk:file.

0 Karma
Reply

jwalzerpitt
Influencer
‎12-05-2014 12:50 PM

Mr. Gibbon,

Was wondering if you ever fully vetted your Symantec v12 regex?

Thx

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...