Apologies first, for the long post; I'm trying to get clarification on some previous posts, hopefully this post can consolidate some of those suggestions/fixes and save some time and frustration for others....
I am sending SEP 14 logs to splunk via syslog directly from SEP manager.
I have installed the TA for Symantec Endpoint Protection (syslog) based on several recommendations in this forum. We also have installed Splunk Enterprise Security app for use.
The notes for the TA say to "Assign sourcetype symantec:ep:syslog to the incoming datasourcetype" however I'm unclear where/how to assign the sourcetype.
A. How do I assign the sourcetype to the incoming datasourcetype ?
In several posts I see references to an inputs.conf file, however there is no inputs.conf file in the app directory. I do however see other conf files, including "transforms" and "props".
B. Do I need an inputs.conf in the app directory, if so how/where should I start. What edits changes need to be effected.
C. Do I need to make any edits updates to the transforms.conf, props.conf, or any other files.
I understand the TA will not have dashboards and only presents the data for use by other apps and objects. How is the data on-boarded, or ingested into these apps/objects?
Many thanks for any assistance
Rick
... View more