Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitoring Trellix log

sswigart
Explorer
‎07-28-2025 03:18 PM
I have a requirement to monitor log files created by Trellix on my windows 11 and 2019 hosts. 
The log files are located at C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log
                                                                                                                                                              \ExploitPrevention_Activity.log
                                                                                                                                                               \OnDemandScan_Activity.log
                                                                                                                                                                \SelfProtection_Activity.log
 
My stanza in the input.conf are configured as:
 
[monitor://C:\ProgramData\McAfee\Endpoint Security\Logs\AccessProtection_Activity.log
disabled = 0
index = winlogs
sourcetype = WinEventLog:HIPS
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXel = false
 
Same format for each log.
For some reason Splunk is not ingesting the log data.
Labels (2)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-28-2025 03:46 PM

Hi @sswigart 

Please can you confirm if you can see the _internal events for the hosts which are monitoring those files?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

sswigart
Explorer
‎07-29-2025 07:08 AM

Sir,

When I do a query (index=_internal) looking for records from any of the logs, there are no results.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-29-2025 02:37 PM

Apologies if I wasnt previously clear - the purpose of the check in the _internal index is to check that your forwarder is successfully sending its own internal logs to your indexer(s) - this allows us to establish if the cause is due to a forwarding issue from the forwarder, or a problem reading in the data.

Do you see your forwarder host sending *any* logs (not specific to Trellix) in the _internal index?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

sswigart
Explorer
‎08-04-2025 02:06 PM

I am getting records from 5 or more .log s .

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-29-2025 09:30 AM

No, the question wasn't for the logs from the Trellix solution. The question is whether you're geting any Splunk forwarder's own events into your _internal index from the hosts from which you will also want to pull Trellix events.

Also - where and how are you putting those inputs.conf settings?

0 Karma
Reply

sswigart
Explorer
‎08-04-2025 02:13 PM

I am using the Splunk  Add-on for Microsoft Windows.

The inputs.conf files on the hosts are located in:

C:\SplunkUF\etc\apps\Splunk_TA_windows\local\inputs.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...