Getting Data In

Unable to see Symantec risk logs on heavy forwarder and indexer



First off, apologies if this is the wrong forum to post this but I am stuck and need help.

I currently have a test environment set up as below.

Symantec SEPM is sending syslog to a vip load balancer which will then forward to either one of two HF. 

Flow is as follows:

Symantec SEPM > LB > HF


Configuration as shown below:

Symantec SEPM version 14.3 RU1 with the following syslog configuration

Syslog IP:  VIP of Load Balancer

Syslog dest port: TCP 514

Syslog Line Separator: LF


LB is configured to forward the logs to HF via port 9997


Issue: Currently, the issue is that the risk logs used to be sending over previously but seem to stop now.


If I have missed out anything, please let me know.


Any feedback is greatly appreciated. 




Labels (2)
0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...