Archive

Installation Splunk for Symantec app for single instance

apakhomov
Path Finder

Hello,
I browsed directories ./SplunkforSymantec/default/ and ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/
The files in those directories almost identical.

So If I want to install SplunkforSymantec on the single Splunk instance and want to get data by syslog, I don't have to install TA-sepapp11. Is it right?

I only need to create./SplunkforSymantec/local/inputs.conf with content:

[udp:516]
sourcetype=sep11:log

I doubt about the string:

sourcetype=sep11:log

In the file ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/inputs.conf I see:

## A default listener
#[udp:516]
#sourcetype=sep11:log
# Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything
# searchable with sourectype of sep is an error

So, what is correct: "sep11:log" or "sep"

Tags (3)
0 Karma
1 Solution

apakhomov
Path Finder

I was wrong. TA-sepapp11 must be installed.
Correct strings for the inputs.conf:

[udp://514]
sourcetype = sep11:log

I had problem with parsing logs. The logs was written in Russian. The Splunk for Symantec app has parser only for the English logs.


Best regards, Artem.

View solution in original post

0 Karma

apakhomov
Path Finder

I was wrong. TA-sepapp11 must be installed.
Correct strings for the inputs.conf:

[udp://514]
sourcetype = sep11:log

I had problem with parsing logs. The logs was written in Russian. The Splunk for Symantec app has parser only for the English logs.


Best regards, Artem.

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!