Hi, You will need to create a custom inputs.conf on the Heavy/Universal Forwarder (if you have one installed on the syslog server) and configure it to monitor your Symantec syslog filepath. For example, if your Symantec syslog is stored in /opt/syslog/symantec/symantec01012019.txt, your inputs.conf should be like this: [monitor:///opt/syslog/symantec/*.txt] ##default to main if not specific index = sourcetype = symantec:ep:syslog You will need to install this add-on on the Heavy Forwarder or Indexer, depending on your architecture, and the add-on will parse the logs to relevant sourcetype based on the regex. The recommended way of collecting SEPM logs should be via dumpfile instead of syslog as this add-on is not officially supported by Splunk or Symantec. Hope this help! Regards, Benjamin Tan,Hi, You will need to create a custom inputs.conf on the Heavy/Universal Forwarder (if you have one installed on the syslog server) and configure it to monitor your Symantec syslog filepath. For example, if your Symantec syslog is stored in /opt/syslog/symantec/symantec01012019.txt, your inputs.conf should be like this: [monitor:///opt/syslog/symantec/*.txt] ##default to main if not specific index = sourcetype = symantec:ep:syslog You will need to install this add-on on the Heavy Forwarder or Indexer, depending on your architecture, and the add-on will parse the logs to relevant sourcetype based on the regex. The recommended way of collecting SEPM logs should be via dumpfile instead of syslog as this add-on is not officially supported by Splunk or Symantec. Hope this help! Regards, Benjamin Tan ... View more

As stated on Splunkbase by the author in the release note: "Error faced while parsing knowledgebase API response when CVSS data is missing in the response." Updating the TA to the latest version should resolve this issue. ... View more

Hi kchamplin, Thanks for the explanation! Is there an official documentation on this from Splunk? It would be great to learn more about this! ... View more