Archive
Highlighted

Symantec Endpoint 14 via syslog onboarding

Engager

Apologies first, for the long post; I'm trying to get clarification on some previous posts, hopefully this post can consolidate some of those suggestions/fixes and save some time and frustration for others....

I am sending SEP 14 logs to splunk via syslog directly from SEP manager.

I have installed the TA for Symantec Endpoint Protection (syslog) based on several recommendations in this forum. We also have installed Splunk Enterprise Security app for use.

The notes for the TA say to "Assign sourcetype symantec:ep:syslog to the incoming datasourcetype" however I'm unclear where/how to assign the sourcetype.

A. How do I assign the sourcetype to the incoming datasourcetype ?

In several posts I see references to an inputs.conf file, however there is no inputs.conf file in the app directory. I do however see other conf files, including "transforms" and "props".

B. Do I need an inputs.conf in the app directory, if so how/where should I start. What edits changes need to be effected.

C. Do I need to make any edits updates to the transforms.conf, props.conf, or any other files.

I understand the TA will not have dashboards and only presents the data for use by other apps and objects. How is the data on-boarded, or ingested into these apps/objects?

Many thanks for any assistance

Rick

0 Karma
Highlighted

Re: Symantec Endpoint 14 via syslog onboarding

Explorer

Hi,

You will need to create a custom inputs.conf on the Heavy/Universal Forwarder (if you have one installed on the syslog server) and configure it to monitor your Symantec syslog filepath.

For example, if your Symantec syslog is stored in /opt/syslog/symantec/symantec01012019.txt, your inputs.conf should be like this:
[monitor:///opt/syslog/symantec/*.txt]
##default to main if not specific
index =
sourcetype = symantec:ep:syslog

You will need to install this add-on on the Heavy Forwarder or Indexer, depending on your architecture, and the add-on will parse the logs to relevant sourcetype based on the regex.

The recommended way of collecting SEPM logs should be via dumpfile instead of syslog as this add-on is not officially supported by Splunk or Symantec.

Hope this help!

Regards,
Benjamin Tan,Hi,

You will need to create a custom inputs.conf on the Heavy/Universal Forwarder (if you have one installed on the syslog server) and configure it to monitor your Symantec syslog filepath.

For example, if your Symantec syslog is stored in /opt/syslog/symantec/symantec01012019.txt, your inputs.conf should be like this:
[monitor:///opt/syslog/symantec/*.txt]
##default to main if not specific
index =
sourcetype = symantec:ep:syslog

You will need to install this add-on on the Heavy Forwarder or Indexer, depending on your architecture, and the add-on will parse the logs to relevant sourcetype based on the regex.

The recommended way of collecting SEPM logs should be via dumpfile instead of syslog as this add-on is not officially supported by Splunk or Symantec.

Hope this help!

Regards,
Benjamin Tan

0 Karma