All Apps and Add-ons

Symantec Endpoint Protection syslog TA field extraction problem

jenipherc
Splunk Employee
Splunk Employee

I have this TA installed "TA-Symantec-EP-Syslog". And I always have this problems in at the beginning of each month that this query will not give me certain fields that I am expecting.

sourcetype=symantec:ep:risk:syslog

Some fields that I noticed that are missing are : action, Category_Type, and Computer_Name .

I think this happens because the day in the timestamp is single digit rather than double digit.

For example,

an event starts like this might not have all fields extracted:

Aug  4 11:35:10 

but an event starts like this

Jul 31 19:35:38

would have all fields extract.
(They're tab delimited )

II was tracing the props.conf and transforms.conf for this sourcetype in this TA, I couldn't figure out where the timestamp was parsed. Anyone who might have experienced this before could share how you fixed it? Thank you.

0 Karma

g_paternicola
Path Finder

Hi everyone,

I have quite the same issue like @jenipherc with this app. But in my case, I do not get any filed extraction for the risk sourcetype, but on the other side for the sourcetype scan, I will get everything extracted... I really really need your help, because there is no more app for Symantec EP for Syslog-ng. 

I'm trying to understand transforms.conf and props.conf since days, but I cant find anything. 

I will be very happy for any help! Thank you!

0 Karma

woodcock
Esteemed Legend

Look for TIME_FORMAT that uses %d for "Day of the month, zero-padded (01..31)" or %-d for "no-padded (1..31)" and switch it to %e for "Day of the month, blank-padded ( 1..31)". You can use btool props list --debug to speed up the search.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.