OK, so after fighting with this app for a few days, it seems a part of the issue has to do with the actual searches. When using Splunk for Symantec, it seems the best thing to do is use the universal forwarder as this will allow you to control the sourcetype. This is key. When syslog is used, the data gets there, but it is all wrong and all searches would be broken, at least with the forwarder, you can control the sourcetype on delivery.
For the sake of simplicity, I will use a single source. On the forwarder, set the inputs.conf:
[monitor://< PATH>>/data/dump/agt_scan.tmp]
sourcetype = symantec:scan
index = symantec
disabled = false
That much is simple and it gets the data into the SEPM. However, this is where the issue lies and I hope we can fix it. In the Splunk for Symantec App (the v 1.x one), when you click on: Host Overview -> completed scans today it shows zero. Underneath that box, if you open in search, the search field pro-populates with:
`host_overview_scans_today`
and you have no data and the count is 0, but the good news is that this is a hyperlink to a new search, click it and select view events.
The search box now shows `index=symantec_syslog sourcetype=sep12:scan status=completed` and below there are no results.
From here, there are 2 issues and the one is corrected using the forwarder as opposed to syslog:
1. `sourcetype=sep12:scan`, with syslog, this is just sep12, so it returns no value, at least with the forwarder, you can forward the type as sep12:scan.
2. "`status=completed`, this too is an issue, because the imported data does not have a status field. Instead, remove status= and you end up with results.
So, depending on how you can edit an existing app and its searches, Splunk for Symantec would technically work. Otherwise, it would seem the answer is Splunk Enterprise Security. This appears to be where the 2.x symantec application comes into play because looking at the TA, it also utilizes the forwarder, but once in Splunk, the paid Enterprise Security app can then read this data. So, the 2.x TA has no affect on 1.x.
The 1.x has the pre-built dashboards, but the issue there is that the searches used to build the dashboards do not appear to be accurate and therefore, they display no data.
While I have no idea how this can be fixed at least it seems to make some sense now as to why the data that is sent to Splunk cannot be seen in the add-on and instead requires individual searches, negating the gui's functionality.
↧