Splunk ver 6.3.1
I am working through the Splunk Add-on for Symantec Endpoint Protection install documentation and I have a question about he inputs.conf file. The documentation shows the Symantec log files as being monitored separately:
[monitor://<<path_to_temp_dump_file_directory>>\scm_admin.tmp]
sourcetype = symantec:ep:admin:file
disabled = false
[monitor://<<path_to_temp_dump_file_directory>>\agt_behavior.tmp]
sourcetype = symantec:ep:behavior:file
disabled = false
[monitor://<<path_to_temp_dump_file_directory>>\scm_agent_act.tmp]
sourcetype = symantec:ep:agent:file
disabled = false
[monitor://<<path_to_temp_dump_file_directory>>\scm_policy.tmp]
sourcetype = symantec:ep:policy:file
disabled = false
However, I have our Symantec management server configured to syslog the files to the Splunk server into a directory, configured via rsyslog as follows:
#send all messages from SEP Manager to a specific files
$template Symantec,"/syslog/symantec/%$YEAR%/%$MONTH%/symantec-%$YEAR%%$MONTH%%$DAY%.log"
if $hostname contains 'SymantecServer' then -?Symantec
& ~
With that, I have one Symantec log files per day that has the various different Symantec log formats all mixed in.
I assume I can configure the inputs.conf to point all of the lines in the stanza to the same file, but how do ensure that Splunk will be able to parse all the different formats within the same log file to assign the correct sourcetypes - scm_admin, scm_agent, agt_risk, agt_scan, and so on?
Thx
↧