Splunk Search

Symantec Endpoint Reporting App (SEP) Installation

hcorbett_
New Member

Hello, I'm new to Splunk and I'm having some difficulty getting the SEP app working correctly.

(replace the dashes below with underscores..)

I do not see any data when I go to App -> Symantec Endpoint Protection Reporting, although I know that SEP logs are being indexed in prod-sep-logs because I can go to the search app and search for index="prod-sep-logs" and get results

Back on the SEP app, under 'Top Infections By Type,' if I click More Info (beside No Results Found) I see the following.. This search has completed and found 12,205 matching events. However, the transforming commands in the highlighted portion of the following search: search eventtype="sep-virusfound" | top limit=50 sep-riskname (top limit=50 sep-riskname is the part that is highlighted)

Back on the Search app ,if i search index="prod-sep-logs" I see that my logs currently contain 10 eventtypes including sep-virusfound, sep-management-downloadcontent, sep-management-receivelog, and so on.. so it appears that the eventtypes are working correctly

On the Search app, if I search - index="prod-sep-logs" eventtype="sep-virusfound" - I see all of the logs for this eventtype, but I do not see under 'Selected fields' or 'Other interesting fields' entries for sep-computername or sep-riskname, and if I append - | top sep-computername - or - | top sep-riskname - to my search I receive no results. So from my limited experience it looks like maybe the field extractions are not working correctly.

So I went to Manager and the Field Transformations and grabbed the regular expression for sep-virusfound.. I went to the Search app and searched for - index="prod-sep-logs" eventtype="sep-virusfound" -, then I selected Extract fields and under Generated pattern i clicked Edit and pasted the regex for sep-virusfound and clicked Apply.. Under Sample Extractions it appears to pull data correctly for sep-actualaction, sep-computername, sep-domainname, sep-endtime, ..., sep-username.. so the regex appears to be working correctly

Any idea why the regex is working correctly, but Splunk does not appear to know about the Fields?

Thanks for any help you can provide

Heath

Tags (1)
0 Karma

dmceccoli
Engager

We just had the same problem. Check props.conf for the app. The delivered sourcetype "prod_sep_logs" did not match the sourcetype for our SEP logs. Once we matched them up it started working as expected.

Cheers, Dave

BP9906
Builder

Discovered the SEP12 syslog is different than SEP11. I'm going to suggest a transformation change to support either.

0 Karma

BP9906
Builder

copying props.conf to 'local' and editing the [prod_sep_log] to match the inputs.conf sourcetype and restarting splunk didnt fix it. Whats wrong?

0 Karma

Brian_Osburn
Builder

Updated the documentation - thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...