- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Symantec Endpoint 14 via syslog onboarding
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Symantec Endpoint 14 via syslog onboarding
Apologies first, for the long post; I'm trying to get clarification on some previous posts, hopefully this post can consolidate some of those suggestions/fixes and save some time and frustration for others....
I am sending SEP 14 logs to splunk via syslog directly from SEP manager.
I have installed the TA for Symantec Endpoint Protection (syslog) based on several recommendations in this forum. We also have installed Splunk Enterprise Security app for use.
The notes for the TA say to "Assign sourcetype symantec:ep:syslog to the incoming datasourcetype" however I'm unclear where/how to assign the sourcetype.
A. How do I assign the sourcetype to the incoming datasourcetype ?
In several posts I see references to an inputs.conf file, however there is no inputs.conf file in the app directory. I do however see other conf files, including "transforms" and "props".
B. Do I need an inputs.conf in the app directory, if so how/where should I start. What edits changes need to be effected.
C. Do I need to make any edits updates to the transforms.conf, props.conf, or any other files.
I understand the TA will not have dashboards and only presents the data for use by other apps and objects. How is the data on-boarded, or ingested into these apps/objects?
Many thanks for any assistance
Rick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You will need to create a custom inputs.conf on the Heavy/Universal Forwarder (if you have one installed on the syslog server) and configure it to monitor your Symantec syslog filepath.
For example, if your Symantec syslog is stored in /opt/syslog/symantec/symantec01012019.txt, your inputs.conf should be like this:
[monitor:///opt/syslog/symantec/*.txt]
##default to main if not specific
index =
sourcetype = symantec:ep:syslog
You will need to install this add-on on the Heavy Forwarder or Indexer, depending on your architecture, and the add-on will parse the logs to relevant sourcetype based on the regex.
The recommended way of collecting SEPM logs should be via dumpfile instead of syslog as this add-on is not officially supported by Splunk or Symantec.
Hope this help!
Regards,
Benjamin Tan,Hi,
You will need to create a custom inputs.conf on the Heavy/Universal Forwarder (if you have one installed on the syslog server) and configure it to monitor your Symantec syslog filepath.
For example, if your Symantec syslog is stored in /opt/syslog/symantec/symantec01012019.txt, your inputs.conf should be like this:
[monitor:///opt/syslog/symantec/*.txt]
##default to main if not specific
index =
sourcetype = symantec:ep:syslog
You will need to install this add-on on the Heavy Forwarder or Indexer, depending on your architecture, and the add-on will parse the logs to relevant sourcetype based on the regex.
The recommended way of collecting SEPM logs should be via dumpfile instead of syslog as this add-on is not officially supported by Splunk or Symantec.
Hope this help!
Regards,
Benjamin Tan
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
