Splunk Enterprise Security

Enterprise Security: why is sourcetype="bluecoat:proxysg:admin:file" tagged as error

danielbb
Motivator

The bluecloat sourcetype "bluecoat:proxysg:admin:file" is tagged as error. It's also not listed at Sourcetypes for the Splunk Add-on for Symantec Blue Coat ProxySG

Why is it?

0 Karma

aholzel
Communicator

The eventtype "err0r" from the Splunk_SA_CIM is a very broad search.. that is almost a catch all

gjanders
SplunkTrust
SplunkTrust

Do you happen to have the Splunk TA *nix app installed? That has some very open tag=error searches.
You can see this by checking the eventtypes involved where you see tag=error....

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!