I have this TA installed "TA-Symantec-EP-Syslog". And I always have this problems in at the beginning of each month that this query will not give me certain fields that I am expecting.
sourcetype=symantec:ep:risk:syslog
Some fields that I noticed that are missing are : action, Category_Type, and Computer_Name .
I think this happens because the day in the timestamp is single digit rather than double digit.
For example,
an event starts like this might not have all fields extracted:
Aug 4 11:35:10
but an event starts like this
Jul 31 19:35:38
would have all fields extract.
(They're tab delimited )
II was tracing the props.conf and transforms.conf for this sourcetype in this TA, I couldn't figure out where the timestamp was parsed. Anyone who might have experienced this before could share how you fixed it? Thank you.
Hi everyone,
I have quite the same issue like @jenipherc with this app. But in my case, I do not get any filed extraction for the risk sourcetype, but on the other side for the sourcetype scan, I will get everything extracted... I really really need your help, because there is no more app for Symantec EP for Syslog-ng.
I'm trying to understand transforms.conf and props.conf since days, but I cant find anything.
I will be very happy for any help! Thank you!
Look for TIME_FORMAT
that uses %d
for "Day of the month, zero-padded (01..31)" or %-d
for "no-padded (1..31)" and switch it to %e
for "Day of the month, blank-padded ( 1..31)". You can use btool props list --debug
to speed up the search.