i use Symantec Endpoint Protection 11.
Is the App compatible?
I was install the App and i dont see any data.
In Symantec i configure the remote logging.
Send to: splunk ip, port UDP 514.
In Splunk i activate the UDP listening 514, syslog.
After few minutes i see logs in the source 514,syslog...datas from the SEP.
But they dont write it in the APP.
Why? Must the SEP Version installed in english? or is other Language compatible?
Yes, it should be compatible with Symantec Endpoint Protect Version 11 (which is what I wrote the app against).
Please check the following:
Make sure that the events that are being received in Splunk have the correct sourcetype. If it doesn't have the correct sourcetype, none of the reporting will work.
You can do this by modifying $SPLUNK_HOME/etc/apps/SEP_Reporting/local/props.conf if it's different.
I'd actually recommend NOT using port 514 as the feed for the SEP logs. It will cause unnecessary confusion especially if you are using 514 for syslog.
It has to be English, because that's what I wrote the app for. Unfortunately, I don't speak any other language (unless you count PERL or Python)..
my guess is the sourcetype is not the sourcetype the App is looking for. what sourcetype does the App look for? whatever that is use that name for sourcetype in your Source definition, modify your Source input to use the correct sourcetype name.
Yes, i have an prod_sep_logs index.
Now i see datas with index="prod_sep_logs"
I see my test virus scan, and Infection Found, but i see nothing in the App.
Only with search index="proud_sep_logs"
do you have a index named "prod_sep_log" ? you can also see in Manager >>> Indexes data going in if in fact the source is being written to that index, etc.
make the change and restart Splunk, then search "index=prod_sep_log"
I dont know what you mean with "...and dump it into this index..:".
I was create a prod_sep_logs Index...now i have on manager->indexes
Automatically there stand under app "SEP_Reporting".
On Data Inputs -> UDP i create a new with
Sourcetype = syslog
more settings -> index default.
Then i see results with search: source="udp:514" or sourcetype="syslog" i see the same.
On the left site i see the interesting fields with "index" when i click i see "main 100%"
There write the logs in the default(main) index.
When i change the UDP settings from index default(main) to -> index prod_sep_log.
Nothing happents, no logs to see.
1st off, you dont need a App to index data. as a test just create the prod_sep_logs index, then source definition and dump it into this index, then search this index "index=prod_sep_logs", do you get any results?
make sure the sourcetype is also correct. you likely are indexing the events as sourcetype=syslog and dumping them into the index "prod_sep_logs". the app is likely looking for indexed data with a sourcetype that is something other than syslog, etc.
Ok Next Step, in the Installation Guide i see i must use the index=prod_sep_logs
But i dont have this....i create one, then i change the UDP settings from index main to index prod_sep_logs.
But nothing is come.
When i change index prod_sep_logs to "default" or "main" again, i see udp entrys.