Re: Configuring Symantec for Splunk app and univer...

tranvin · ‎11-17-2013

Hi there,

I've got a couple of issues that I need some help with.

I'm trying to set up symantec endpoint app and also trying to set up the universal forwarded on the SEP manager so that it will forward enriched information about the sep clients reporting to the SEP manager.

Details include: SEP version: SEP12.1.x Splunk version: 6

I have configured the SEP manager to send external logging to a tcp port(4096/tcp) to the splunk server and can confirm that the logs are being received.

I've installed the Symantec for Splunk app but when I load it there's nothing in the display.

I've also installed the Universal forwarder on the server that's running the SEP manager, but unsure of what additional configuration I need to get it to send SEP client logs reporting into the SEP manager over to my Splunk server.

Any help would be great! Many thanks inadvance.

SQservicedesk · ‎12-08-2013

I have a similar issue. Splunk server is a fresh install of Windows Server 2008 R2, Splunk 6 installed, Splunk for Symantec App installed. Then installed the universal forwarder on our Symantec server (also WIN2K8R2) running SEPM 12.1, specifying the actual path of our SEPM installation (not default). I checked inputs.conf on the SEPM server which is located in ...\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf and the SEPM path was correct. As part of the Universal forwarder installation I installed the required TA.

As far as I know, this is all that is required to setup this app, however the documentation available seems very limited and I believe more steps are required. When searching in the App in Splunk, no results are returned.

rsennett_splunk · ‎12-08-2013

Have you assigned the sourcetypes?

this app seems to be driven by macros. So what I would do, is take a look at the macros and run them separately in the search view. (run the search code, not the macro). In other words, take it apart a bit to see what might be out of alignment

The macros are found this way.
From the App Dashboard Screen
Select the Settings Menu>
Select the Advanced Search>
Select the Search Macros>
Examine the list and see if something jumps out... cut and past the Search code into the search view and run it. See what it gets you.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

davidpaper · ‎11-18-2013

For the TAs, once they are installed (per rsennett_splunk above), make sure that the TA is enabled. A TA that's installed but disabled won't do you much good.

SQservicedesk · ‎12-08-2013

The TA is enabled by default upon installation isn't it?

rsennett_splunk · ‎11-17-2013

According to the doc: "After downloading the app and going through the set up process, you still need to install either the Symantec 11 Technology Add-on or Symantec 12 Technology Add-on. If you are currently running both products, you should install both TAs." you don't mention having done that... so I would imagine that the dashboards perhaps are not seeing any normalized fields that the TA's handle. If you have installed the TA. Then I suggest you pick a search and check the job inspector for details as to why you see no data. That will give you a clue you can share here...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Configuring Symantec for Splunk app and universal forwarder

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms