Getting Data In

Unable to see Symantec risk logs on heavy forwarder and indexer



First off, apologies if this is the wrong forum to post this but I am stuck and need help.

I currently have a test environment set up as below.

Symantec SEPM is sending syslog to a vip load balancer which will then forward to either one of two HF. 

Flow is as follows:

Symantec SEPM > LB > HF


Configuration as shown below:

Symantec SEPM version 14.3 RU1 with the following syslog configuration

Syslog IP:  VIP of Load Balancer

Syslog dest port: TCP 514

Syslog Line Separator: LF


LB is configured to forward the logs to HF via port 9997


Issue: Currently, the issue is that the risk logs used to be sending over previously but seem to stop now.


If I have missed out anything, please let me know.


Any feedback is greatly appreciated. 




Labels (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...