Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionSymantec Endpoint Protection Reporting - some high level reporting around logs sent to Splunk from the SEP console. This application is pretty basic, so any requests / comments would be appreciated. Screenshotshttp://dl.dropbox.com/u/6408771/SEP_Application/ScreenShot_1.JPG OverviewThis is a pretty basic application, allowing some high level visibility into Symantec Endpoint Protection logging. It consists of the following: One Saved Search: Two Views: Twenty-Three different event types Installation InstructionsInstall via Splunkbase -OR- download, and extract it to $SPLUNK_HOME/etc/apps If you use an index other then "prod_sep_logs" (which I expect most do) Modify $SPLUNK_HOME/etc/apps/SEP_Reporting/local/eventtypes.conf and replace "prod_sep_logs" with your index name. You will also need to modify the sourcetype if you are using something other then prod_sep_log! Restart Splunk NOTE: I do not cover how to feed Splunk SEP logs. I actually had someone on my windows team do that for me and I didn't document it. *NOTE Regarding SEP Version* Unfortunately, I don't have time or the environment to modify this around new versions of SEP as they are released. Brian Versions and Release Notes
Version 1.1 (current version - updated Dec 19, 2011)
release notes:
Removed references to my account in the app.
Version 1.0
(updated Dec 23, 2010)
|
We are running SEP 2012, but don't get anything found in the reports. I'm a bit of a n00b at Splunk, but understand regex well. So some hints from other users at what to look for and change and I should be able to get it going.
You can install the Splunk Forwarder on the server, select all the Event Logs. The one that SEP uses is WinEventLog:Application. The default index for these on the splunk box is "main".
Our setup is pretty new, so we don't have any virus detections yet :)
Hi Brian, I like the app as it provides a great way to consolidate events from the Symantec EndPoint console. Is it possible to modify the app so that provides "drill down" functionality from the "Statistics" dashboard. Currently I have to copy and pasted any data from this page to the "Details" page.
Thanks and I appreciate the effort you put into creating this Ap.
I am new to Splunk, and since i have started to test the application, i began to find that i just don't like to log into multiple consoles for events, nor do i like to receive emails from multiple systems. This application solves the need to check multiple sources for SEP events, and does a great job at it!!
I had issues with the application, and the developer was very helpful with troubleshooting the issues. We use an older version of SEP,(11.0.6005.562), and it works perfectly with this application!
Brian, Thanks for creating such a great application!!!
You can feed the splunk logs through your SEPM console. Setup external logging and point it to your splunk server. To make it easier I created a prod_sep_logs index and tied that index to 515/UDP. Now all my SEP data is coming to the correct database.
Don't forget to restart splunk after your changes.
There also appears to be a problem with the way Symantec log files in v15. I am working on editing the transforms and will post information as I progress.
NOTE: I do not cover how to feed Splunk SEP logs. I actually had someone on my windows team do that for me and I didn't document it.
Isn't that a key part to this app?
