Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to see Symantec risk logs on heavy forwarder and indexer

mohdmikhael
Explorer
‎07-15-2021 08:40 PM

Hi, 

First off, apologies if this is the wrong forum to post this but I am stuck and need help.

I currently have a test environment set up as below.

Symantec SEPM is sending syslog to a vip load balancer which will then forward to either one of two HF. 

Flow is as follows:

Symantec SEPM > LB > HF

 

Configuration as shown below:

Symantec SEPM version 14.3 RU1 with the following syslog configuration

Syslog IP:  VIP of Load Balancer

Syslog dest port: TCP 514

Syslog Line Separator: LF

 

LB is configured to forward the logs to HF via port 9997

 

Issue: Currently, the issue is that the risk logs used to be sending over previously but seem to stop now.

 

If I have missed out anything, please let me know.

 

Any feedback is greatly appreciated. 

 

Regards,

Mikhael

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...