I'm having a little bit of a problem with the fields not being correctly formatted from the SEP EP logs and would really appreciate a little help & guidance.
Here is a brief environment summary:
Search head & indexer running Splunk Enterprise 6.2.6
SEP Management Server configured to export logs to dump files
Splunk Forwarder 6.2.6-274160 installed on the SEP Management Server
Here is a summary of what I have done:
Installed Splunk Add-on for Symantec Endpoint Protection 2.0.1 on the search head
Moved Splunk_TA_symantec-ep from apps to deployment-apps
Created an index on the indexer called symantecep
Inputs configured in the deployment app as recommended, defining the monitor index as symantecep, .e.g.:
[monitor://C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
index = symantecep
sourcetype = symantec:ep:admin:file
disabled = 0
App successfully deployed to the SEP client via a server class
The logs are appearing on the search head in the index specified but the fields are not being extracted.
I have attached screenshots of how the search results appear in the search head.
My assumption is that the app runs on the forwarder which collects the information, assigns source types, carries out field extraction, and then forwards them to the indexer, so please correct me if that's wrong.
Many Thanks,
David
... View more