There are several problems with version 1.0.3 of this app.
First, the typo:
Navigate to TA-sepapp11/default/inputs.conf.local
When you use create your inputs.conf be sure to edit the "sourcetype" line in the stanza that references agt_system to say "sep11:..." instead of "se11p:..." This is a typo and should be fixed.
Second, there are several thinkos:
Whether you are using TA-sepapp11 or TA-sepapp12 you need to adjust the inputs.conf that you create from the supplied inputs.conf.local
Adjust the following two stanzas:
The monitor stanza for scm_system should have a sourcetype=scm_system
The monitor stanza for agt_system should have a sourcetype=agt_system
Both of these in the 1.0.3 version of the app point to just sourcetype=system so need to be adjusted to reflect the type of system logs they are (scm or agt).
Third, there are empty dashboards as a result of missing fields.
The view SEP Manager System... calls a macro `scm_trends` which calls others including `sep_scm_system_sourcetype` which references sourcetype=sepxx:scm_system
If you inspect the props for scm_system, you will see the "csv_header_for_sep12_scm_system" transform that creates these fields: FIELDS = "site_name","sep12_server","domain_field","event description","dest_nt_host", "user_name","domain_name"
The problem is, these fields don't seem to exists in SEP-12 scm_system data.
Here is sample data:
2013-12-12 11:40:30,Info,Site: TestSEP01 FOO,Server: TestSEP01,No updates found for TruScan proactive threat scan commercial application list Win32 11.0.
2013-12-12 11:40:30,Info,Site: TestSEP01 FOO,Server: TestSEP01,No updates found for AP Portal List 12.1 RU2.
2013-12-12 11:40:30,Info,Site: TestSEP01 FOO,Server: TestSEP01,No updates found for SONAR scan engine Win32 11.0.
Some of these can be fixed with good extractions, but unfortunately some of the fields presented in the dashboards don't seem to exist in the data.
Looking at the sample above from scm_system and at the TA-sepapp12/default/props.conf you will see that there are references to extractions that use DELIM as comma "," only without a key-value delimiter. So, it takes the field that has "Site: TestSEP01" and makes that the value of sep12_server. There is no reason for the string "Site: " to be in your field name.
To fix this, we have to override a default extraction.
Create a local props.conf that looks like this:
REPORT-1-csv_header_for_sep12_scm_system = extractions_for_sep12_scm_system`
Create a local/transforms.conf that looks like this:
REGEX = \,Site\:\s+(?<site_name>[^\,]+)\,Server\:\s+(?<sep12_server>[^\,]+)\,(?<event_description>.*)`
Additionally, we need to make a small tweak to the macros, so edit SplunkforSymantec/local/macros.conf:
definition = \`sep_index\` \`sep_scm_system_sourcetype\` | fillnull value=NULL User| rename dest_nt_host as "Host" event_source as "Event Source" event_description as "Log Entry" | timechart count by "Log Entry"
definition = \`sep_index\` \`sep_scm_system_sourcetype\` | fillnull value=NULL User | rename sep12_server as "Host" user_name as "User" event_description as "Log Entry" | table "Host" "User" "Log Entry"
# Also, the following fixes the "Host With Multiple Infections" panel in "host_overview" View
definition = `sep_index` `sep_risk_sourcetype` risk_type="Virus found" | rename actual_action as "Action" dest_nt_host as "Host" dest_ip as "Host IP" user as "User" risk_type as "Detection Type" signature as "Malware Name" | stats count by Host "Host IP" User | sort -count
That should get those dashboards working (mostly).
... View more