Splunk Enterprise

Monitoring Trellix log

sswigart
Explorer
I have a requirement to monitor log files created by Trellix on my windows 11 and 2019 hosts. 
The log files are located at C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log
                                                                                                                                                              \ExploitPrevention_Activity.log
                                                                                                                                                               \OnDemandScan_Activity.log
                                                                                                                                                                \SelfProtection_Activity.log
 
My stanza in the input.conf are configured as:
 
[monitor://C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log
disabled = 0
index = winlogs
sourcetype = WinEventLog:HIPS
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXel = false
 
Same format for each log.
For some reason Splunk is not ingesting the log data.
Labels (2)
0 Karma

livehybrid
Ultra Champion

Hi @sswigart 

Please can you confirm if you can see the _internal events for the hosts which are monitoring those files?

:glowing_star: Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

sswigart
Explorer

Sir,

When I do a query (index=_internal) looking for records from any of the logs, there are no results.

0 Karma

livehybrid
Ultra Champion

Apologies if I wasnt previously clear - the purpose of the check in the _internal index is to check that your forwarder is successfully sending its own internal logs to your indexer(s) - this allows us to establish if the cause is due to a forwarding issue from the forwarder, or a problem reading in the data.

Do you see your forwarder host sending *any* logs (not specific to Trellix) in the _internal index?

:glowing_star: Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No, the question wasn't for the logs from the Trellix solution. The question is whether you're geting any Splunk forwarder's own events into your _internal index from the hosts from which you will also want to pull Trellix events.

Also - where and how are you putting those inputs.conf settings?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...