Re: I edited inputs.conf on deployment client to m...

sridhar2901 · ‎02-06-2018

I need to get the following sourcetypes? i have all the symantec logs dumped into single directory by external logging option enabled in SEPM

micahkemp · ‎02-07-2018

The Symantec TA wants you to configure your inputs like this (according to the included inputs.conf.template):

[monitor://<<path_to_temp_dump_file_directory>>/scm_admin.tmp]
sourcetype = symantec:ep:admin:file

[monitor://<<path_to_temp_dump_file_directory>>/agt_behavior.tmp]
sourcetype = symantec:ep:behavior:file

[monitor://<<path_to_temp_dump_file_directory>>/scm_agent_act.tmp]
sourcetype = symantec:ep:agent:file

[monitor://<<path_to_temp_dump_file_directory>>/scm_policy.tmp]
sourcetype = symantec:ep:policy:file

[monitor://<<path_to_temp_dump_file_directory>>/scm_system.tmp]
sourcetype = symantec:ep:scm_system:file

[monitor://<<path_to_temp_dump_file_directory>>/agt_packet.tmp]
sourcetype = symantec:ep:packet:file

[monitor://<<path_to_temp_dump_file_directory>>/agt_proactive.tmp]
sourcetype = symantec:ep:proactive:file

[monitor://<<path_to_temp_dump_file_directory>>/agt_risk.tmp]
sourcetype = symantec:ep:risk:file

[monitor://<<path_to_temp_dump_file_directory>>/agt_scan.tmp]
sourcetype = symantec:ep:scan:file

[monitor://<<path_to_temp_dump_file_directory>>/agt_security.tmp]
sourcetype = symantec:ep:security:file

[monitor://<<path_to_temp_dump_file_directory>>/agt_system.tmp]
sourcetype = symantec:ep:agt_system:file

[monitor://<<path_to_temp_dump_file_directory>>/agt_traffic.tmp]
sourcetype = symantec:ep:traffic:file

You said all the log files are in one location, but you didn't say all the different types were in the same file, so I think the above should still be feasible for you.

harsmarvania57 · ‎02-07-2018

Hi,

Are those different files or every data is dumped into single file on your syslog server?

If it is different files, then you can configure inputs.conf and props.conf something like this

In below example we are configuring universal forwarder to monitor /var/tmp/abc.log and /var/tmp/xyz.log

inputs.conf

[monitor:///var/tmp/]
whitelist = (abc|xyz)\.log
index=test

props.conf

[source::/var/tmp/abc.log]
sourcetype = symantec:ep:risk:file

[source::/var/tmp/xyz.log]
sourcetype = symantec:ep:scan:file

sridhar2901 · ‎02-07-2018

@harsmarvania57

It is every data dumped into single file on my syslog server.

harsmarvania57 · ‎02-07-2018

Ok, then it will be tricky to assign different sourcetype. You can use props.conf and transforms.conf on indexer/forwarder to change sourcetype based on regex.

Here are example (In below example I have provided <yourregex> in transforms.conf in which you need to write regular expression to find different data and based on that splunk will assign that sourcetype):
props.conf

[yoursourcetypefromUF]
TRANSFORMS-sourcetype = override-sourcetype, override-sourcetype-1

transforms.conf

[override-sourcetype]
DEST_KEY = MetaData:Sourcetype
REGEX = <yourregex>
FORMAT = symantec:ep:risk:file

[override-sourcetype-1]
DEST_KEY = MetaData:Sourcetype
REGEX = <yourregex>
FORMAT = symantec:ep:scan:file

I would recommend to dump different type of data in different files on syslog server if possible which is easiest way to achieve your requirement.

sridhar2901 · ‎02-07-2018

@harsmarvania57

Can i dump it to different files at syslog level if so how do i it?

This is my email sridharclear@gmail.com
can you ping me on it? can you guide me please?

harsmarvania57 · ‎02-07-2018

Hi,

I am not symantec and syslog expert so I can't help on this, maybe you need to take help from your organizations who generally configure syslog server.

I edited inputs.conf on deployment client to monitor path that has all the symantec logs in one directory through syslog. Please help me how to get separate sourcetypes ??

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!