Archive

Symantec Endpoint Protection

New Member

Hy,

i use Symantec Endpoint Protection 11.
Is the App compatible?

I was install the App and i dont see any data.

In Symantec i configure the remote logging.
Send to: splunk ip, port UDP 514.

In Splunk i activate the UDP listening 514, syslog.

After few minutes i see logs in the source 514,syslog...datas from the SEP.
But they dont write it in the APP.
Why? Must the SEP Version installed in english? or is other Language compatible?

greets.

0 Karma

Builder

Yes, it should be compatible with Symantec Endpoint Protect Version 11 (which is what I wrote the app against).

Please check the following:
Make sure that the events that are being received in Splunk have the correct sourcetype. If it doesn't have the correct sourcetype, none of the reporting will work.

You can do this by modifying $SPLUNK_HOME/etc/apps/SEP_Reporting/local/props.conf if it's different.

I'd actually recommend NOT using port 514 as the feed for the SEP logs. It will cause unnecessary confusion especially if you are using 514 for syslog.

It has to be English, because that's what I wrote the app for. Unfortunately, I don't speak any other language (unless you count PERL or Python)..

Brian

Contributor

my guess is the sourcetype is not the sourcetype the App is looking for. what sourcetype does the App look for? whatever that is use that name for sourcetype in your Source definition, modify your Source input to use the correct sourcetype name.

0 Karma

New Member

Yes, i have an prod_sep_logs index.
Now i see datas with index="prod_sep_logs"
I see my test virus scan, and Infection Found, but i see nothing in the App.

Only with search index="proud_sep_logs"

0 Karma

Contributor

do you have a index named "prod_sep_log" ? you can also see in Manager >>> Indexes data going in if in fact the source is being written to that index, etc.

make the change and restart Splunk, then search "index=prod_sep_log"

New Member

I dont know what you mean with "...and dump it into this index..:".

I was create a prod_sep_logs Index...now i have on manager->indexes
_audit
.
.
.
main
prod_sep_logs

Automatically there stand under app "SEP_Reporting".

On Data Inputs -> UDP i create a new with
514
Sourcetype = syslog
more settings -> index default.

Then i see results with search: source="udp:514" or sourcetype="syslog" i see the same.
On the left site i see the interesting fields with "index" when i click i see "main 100%"
There write the logs in the default(main) index.

When i change the UDP settings from index default(main) to -> index prod_sep_log.
Nothing happents, no logs to see.

greets.

0 Karma

Contributor

1st off, you dont need a App to index data. as a test just create the prod_sep_logs index, then source definition and dump it into this index, then search this index "index=prod_sep_logs", do you get any results?

make sure the sourcetype is also correct. you likely are indexing the events as sourcetype=syslog and dumping them into the index "prod_sep_logs". the app is likely looking for indexed data with a sourcetype that is something other than syslog, etc.

New Member

Ok Next Step, in the Installation Guide i see i must use the index=prod_sep_logs
But i dont have this....i create one, then i change the UDP settings from index main to index prod_sep_logs.

But nothing is come.

When i change index prod_sep_logs to "default" or "main" again, i see udp entrys.

greets.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!