All Apps and Add-ons

The Splunk for Symantec app (v 1.0.3) doesn't display data on all of the dashboards

sdwilkerson
Contributor

I followed the instructions to deploy "Splunk for Symantec" http://apps.splunk.com/app/1365/ version 1.0.3 app but some of the dashboards don't populate.

How do I fix this quickly at my site until the app developer has time to work the changes into a new version?

Tags (1)
1 Solution

sdwilkerson
Contributor

There are several problems with version 1.0.3 of this app.

First, the typo:

  • Navigate to TA-sepapp11/default/inputs.conf.local
  • When you use create your inputs.conf be sure to edit the "sourcetype" line in the stanza that references agt_system to say "sep11:..." instead of "se11p:..." This is a typo and should be fixed.

Second, there are several thinkos:

Whether you are using TA-sepapp11 or TA-sepapp12 you need to adjust the inputs.conf that you create from the supplied inputs.conf.local

Adjust the following two stanzas:

  • The monitor stanza for scm_system should have a sourcetype=scm_system
  • The monitor stanza for agt_system should have a sourcetype=agt_system

Both of these in the 1.0.3 version of the app point to just sourcetype=system so need to be adjusted to reflect the type of system logs they are (scm or agt).

Third, there are empty dashboards as a result of missing fields.

The view SEP Manager System... calls a macro `scm_trends` which calls others including `sep_scm_system_sourcetype` which references sourcetype=sepxx:scm_system

If you inspect the props for scm_system, you will see the "csv_header_for_sep12_scm_system" transform that creates these fields: FIELDS = "site_name","sep12_server","domain_field","event description","dest_nt_host", "user_name","domain_name"

The problem is, these fields don't seem to exists in SEP-12 scm_system data.

Here is sample data:

2013-12-12 11:40:30,Info,Site: TestSEP01 FOO,Server: TestSEP01,No updates found for TruScan proactive threat scan commercial application list Win32 11.0.
2013-12-12 11:40:30,Info,Site: TestSEP01 FOO,Server: TestSEP01,No updates found for AP Portal List 12.1 RU2.
2013-12-12 11:40:30,Info,Site: TestSEP01 FOO,Server: TestSEP01,No updates found for SONAR scan engine Win32 11.0.

Some of these can be fixed with good extractions, but unfortunately some of the fields presented in the dashboards don't seem to exist in the data.

Looking at the sample above from scm_system and at the TA-sepapp12/default/props.conf you will see that there are references to extractions that use DELIM as comma "," only without a key-value delimiter. So, it takes the field that has "Site: TestSEP01" and makes that the value of sep12_server. There is no reason for the string "Site: " to be in your field name.

To fix this, we have to override a default extraction.

Create a local props.conf that looks like this:

[sep12:scm_system]
REPORT-1-csv_header_for_sep12_scm_system = extractions_for_sep12_scm_system`

Create a local/transforms.conf that looks like this:

[extractions_for_sep12_scm_system]
REGEX = \,Site\:\s+(?<site_name>[^\,]+)\,Server\:\s+(?<sep12_server>[^\,]+)\,(?<event_description>.*)`

Additionally, we need to make a small tweak to the macros, so edit SplunkforSymantec/local/macros.conf:

[scm_trends]
definition = \`sep_index\` \`sep_scm_system_sourcetype\` | fillnull value=NULL User| rename dest_nt_host as "Host" event_source as "Event Source" event_description as "Log Entry" | timechart count by "Log Entry"

[scm_table]
definition = \`sep_index\` \`sep_scm_system_sourcetype\` | fillnull value=NULL User | rename sep12_server as "Host" user_name as "User" event_description as "Log Entry" | table "Host" "User" "Log Entry"

# Also, the following fixes the "Host With Multiple Infections" panel in "host_overview" View
[host_overview_most_viruses_last_24hours]
definition = `sep_index` `sep_risk_sourcetype` risk_type="Virus found" | rename actual_action as "Action" dest_nt_host as "Host" dest_ip as "Host IP" user as "User" risk_type as "Detection Type" signature as "Malware Name" | stats count by Host "Host IP" User | sort -count

That should get those dashboards working (mostly).

View solution in original post

gnazer
Engager

Hello, I have followed these steps, and the application does not show anything yet.

Another qustion, How should be the Source UDP input set Sep12 or Sep12:log?

0 Karma

sdwilkerson
Contributor

@gnazer
Are you getting SEP data into Splunk at all? Does "index=* sourcetype=sep*" return "SEP-related" data? If not, you have any problem not addressed by this answers post, then open a new answers post.
If you are getting data, but believe it could be unrelated to a flaw in this answers post, then open a new answers post.
If you are getting data, and believe the issue might be one of the flaws addressed by this answers post, then please let us know more.

0 Karma

sdwilkerson
Contributor

There are several problems with version 1.0.3 of this app.

First, the typo:

  • Navigate to TA-sepapp11/default/inputs.conf.local
  • When you use create your inputs.conf be sure to edit the "sourcetype" line in the stanza that references agt_system to say "sep11:..." instead of "se11p:..." This is a typo and should be fixed.

Second, there are several thinkos:

Whether you are using TA-sepapp11 or TA-sepapp12 you need to adjust the inputs.conf that you create from the supplied inputs.conf.local

Adjust the following two stanzas:

  • The monitor stanza for scm_system should have a sourcetype=scm_system
  • The monitor stanza for agt_system should have a sourcetype=agt_system

Both of these in the 1.0.3 version of the app point to just sourcetype=system so need to be adjusted to reflect the type of system logs they are (scm or agt).

Third, there are empty dashboards as a result of missing fields.

The view SEP Manager System... calls a macro `scm_trends` which calls others including `sep_scm_system_sourcetype` which references sourcetype=sepxx:scm_system

If you inspect the props for scm_system, you will see the "csv_header_for_sep12_scm_system" transform that creates these fields: FIELDS = "site_name","sep12_server","domain_field","event description","dest_nt_host", "user_name","domain_name"

The problem is, these fields don't seem to exists in SEP-12 scm_system data.

Here is sample data:

2013-12-12 11:40:30,Info,Site: TestSEP01 FOO,Server: TestSEP01,No updates found for TruScan proactive threat scan commercial application list Win32 11.0.
2013-12-12 11:40:30,Info,Site: TestSEP01 FOO,Server: TestSEP01,No updates found for AP Portal List 12.1 RU2.
2013-12-12 11:40:30,Info,Site: TestSEP01 FOO,Server: TestSEP01,No updates found for SONAR scan engine Win32 11.0.

Some of these can be fixed with good extractions, but unfortunately some of the fields presented in the dashboards don't seem to exist in the data.

Looking at the sample above from scm_system and at the TA-sepapp12/default/props.conf you will see that there are references to extractions that use DELIM as comma "," only without a key-value delimiter. So, it takes the field that has "Site: TestSEP01" and makes that the value of sep12_server. There is no reason for the string "Site: " to be in your field name.

To fix this, we have to override a default extraction.

Create a local props.conf that looks like this:

[sep12:scm_system]
REPORT-1-csv_header_for_sep12_scm_system = extractions_for_sep12_scm_system`

Create a local/transforms.conf that looks like this:

[extractions_for_sep12_scm_system]
REGEX = \,Site\:\s+(?<site_name>[^\,]+)\,Server\:\s+(?<sep12_server>[^\,]+)\,(?<event_description>.*)`

Additionally, we need to make a small tweak to the macros, so edit SplunkforSymantec/local/macros.conf:

[scm_trends]
definition = \`sep_index\` \`sep_scm_system_sourcetype\` | fillnull value=NULL User| rename dest_nt_host as "Host" event_source as "Event Source" event_description as "Log Entry" | timechart count by "Log Entry"

[scm_table]
definition = \`sep_index\` \`sep_scm_system_sourcetype\` | fillnull value=NULL User | rename sep12_server as "Host" user_name as "User" event_description as "Log Entry" | table "Host" "User" "Log Entry"

# Also, the following fixes the "Host With Multiple Infections" panel in "host_overview" View
[host_overview_most_viruses_last_24hours]
definition = `sep_index` `sep_risk_sourcetype` risk_type="Virus found" | rename actual_action as "Action" dest_nt_host as "Host" dest_ip as "Host IP" user as "User" risk_type as "Detection Type" signature as "Malware Name" | stats count by Host "Host IP" User | sort -count

That should get those dashboards working (mostly).

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...