Hi Splunkers,
We used to have SEP 11 and using the app below works fine with Splunk.
http://splunk-base.splunk.com/answers/43518/symantec-endpoint-protection
After upgrading to SEP 12, the syslog format has been change and the app has become unusable. The fields are no longer recognized, therefore our scheduled reports and dashboards are no longer firing. Does anyone have a SEP 12 app that can be share with the community?
Below are the difference on the SEP 11 and 12 syslog format we've seen.
SEP 11 Syslog Format:
==========================================================================================
Aug 14 08:25:53 10.1.107.21 Aug 14 08:29:25 SymantecServer ORGSEP001: Virus found,Computer name: ORG-USER-NB,Source: Manual Quarantine,Risk name: IRC Trojan,Occurrences: 1,c:UsersUSERAppDataLocalTempVBRF3C.exe,"",Actual action: Left alone,Requested action: Cleaned,Secondary action: Left alone,Event time: 2012-08-14 05:18:10,Inserted: 2012-08-14 05:29:25,End: 2012-08-14 05:18:04,Domain: ORG-COM,Group: My CompanyLaptopsWebSence CR100249,Server: ORGSEP001,User: USER,Source computer: ,Source IP: 0.0.0.0
==========================================================================================
Sep 12 Syslog Format:
==========================================================================================
Oct 4 12:28:22 10.1.107.21 Oct 4 12:20:13 SymantecServer ORGSEP001: Virus found,IP Address: 10.100.1.164,Computer name: ORG-USER-PC,Source: Real Time Scan,Risk name: ALS.Kenilfe,Occurrences: 1,C:WindowsTemp506caddf.qsp,"",Actual action: Left alone,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2012-10-04 09:01:36,Inserted: 2012-10-04 09:20:13,End: 2012-10-04 09:01:35,Last update time: 2012-10-04 09:20:13,Domain: ORG-COM,Group: My CompanyDesktops_SEP_12,Server: ORGSEP002,User: SYSTEM,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,0,Application hash: 97B94A2B0916FB933F9E4BBC9EAB9BB48B5237AB3151993010768249332021D0,Hash type: SHA2,Company name: ,Application name: 506188d3.qsp,Application version: ,Application type: Trojan Worm,File size (bytes): 9922
==========================================================================================
Thanks