Hi Splunkers,
I have a need to integrate SEP ver.. 12 with our Splunk environment. I'm aware that there is a SEP add-on which gets the parsing job done. However, my scenario is not straight forward because I am limited to the SEP client logs. I am not able to get the logs from the SEPM dump files(it's an environmental limitation). I have identified the location on the client where my log of interest(AVMan.log, Antivirus events) is located( C:*\ ***\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\AVMan.log).I believe the AVMan.log maps to the "symantec:ep:scan:file" sourcetype from the SEP add-on. The challenge is that the log format of AVMan.log and the symantec:ep:scan:file sample have some difference .Hence the the AVMan logs are not parsing.
I was wondering whether anyone here has been able to integrate SEP with Splunk using the logs from the client rather than the SEPM dump files. I would rather not have to do all the extraction from scratch.Your assistance is very appreciated.
Please see below sample log formats:
AVMan.log:
00080000 0007fff1 000000c3 000000c2 000000c2 0000000e
00000186 01d351b91047c856 01d351b90810e180 01d351b90810e180 00000001 2F091E13371B,3,2,11,,SYSTEM,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1509393260,,0,,,,,0,,,,,,,,,,,{8BEF9C93-4C70-4E09-AF43-7C690FC82D73},,,,DIR,48:0F:CF:2A:BC:5A,14.0.2415.128,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,0,A90BDC497C404390982AA54A2462967C,0,2F091E13371B,,,1 000001b9 01d351bccdee3139 01d351bcc97d2600 01d351bcc97d2600 00000001 2F091E141614,2,2,11,,SYSTEM,,,,,,,16777216,"Scan Complete: Risks: 0 Scanned: 1550 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 0",1509393260,,0,0:0:1550:0:0,,,,0,,,,,,,,,,,{8BEF9C93-4C70-4E09-AF43-7C690FC82D73},,,,DIR,48:0F:CF:2A:BC:5A,14.0.2415.128,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,0,A90BDC497C404390982AA54A2462967C,1613,2F091E141614,,,1 000001a6 01d36c9283d4ace2 01d36c927f430500 01d36c927f430500 00000001 2F0B03173926,5,1,2,,,,c:\users\\desktop\septestfile.txt,5,1,19,256,37750852,"",1512226913,,0,,2134675314,11101,0,0,0,,,0,,0,0,4,0,,{3D6C5B5B-E6F2-4F1E-8442-9F0480A80424},,,,DIR,48:0F:CF:2A:BC:5A,14.0.2415.128,,,,,,,,,,,,,,,,0,,2d7c47ee-7531-4f62-a702-d4b62e279bc7,1027080192,,,,1,,0,0,0,0,0,,,0,0,0,,,,0,2F0B03173926,0,,0
symantec:ep:scan:file:
2015-04-17 13:09:07,Scan ID: 202774235,Begin: 2014-11-14 16:43:56,End: 2014-11-14 16:44:59,Completed,Duration (seconds): 63,User1: ##User1_Name##,User2: ##User2_Name##,'Scan started','Scan stopped',Command: Not a command scan (),Threats: 0,Infected: 234,Total files: 98762,Omitted: 0,Computer: ##Computer_Name##,IP Address: ##IP_Address##,Domain: zzzComp,Group: My Company\Aaaaa Workstations,Server: sepxxxxx
Regards,
Olamide.
↧