Vendor - Broadcom
Broadcom products are inclusive of products formerly marketed under Symantec and Bluecoat brands.
Product - SSL Visibility Appliance
Ref |
Link |
Splunk Add-on |
None |
Product Manual |
https://knowledge.broadcom.com/external/article/168879/when-sending-session-logs-from-ssl-visib.html |
Sourcetypes
sourcetype |
notes |
broadcom:sslva |
none |
Product - Symantec Endpoint Protection
Ref |
Link |
Splunk Add-on |
https://splunkbase.splunk.com/app/2772/ |
Product Manual |
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html |
Index Configuration
key |
index |
notes |
broadcom_sslva |
netproxy |
none |
Filter type
MSG Parse: This filter parses message content
Options
Variable |
default |
description |
SC4S_LISTEN_SYMANTEC_EP_TCP_PORT |
empty string |
Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_SYMANTEC_EP_UDP_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_SYMANTEC_EP |
no |
Enable archive to disk for this specific source |
SC4S_DEST_SYMANTEC_EP_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification
An active server will generate frequent events. Use the following search to validate events are present per source device
index=<asconfigured> sourcetype=symantec:ep:*:syslog | stats count by host
Sourcetypes
sourcetype |
notes |
symantec:ep:syslog |
Warning the syslog method of accepting EP logs has been reported to show high data loss and is not Supported by Splunk |
symantec:ep:admin:syslog |
none |
symantec:ep:agent:syslog |
none |
symantec:ep:agt:system:syslog |
none |
symantec:ep:behavior:syslog |
none |
symantec:ep:packet:syslog |
none |
symantec:ep:policy:syslog |
none |
symantec:ep:proactive:syslog |
none |
symantec:ep:risk:syslog |
none |
symantec:ep:scan:syslog |
none |
symantec:ep:scm:system:syslog |
none |
symantec:ep:security:syslog |
none |
symantec:ep:traffic:syslog |
none |
Index Configuration
key |
index |
notes |
symantec_ep |
epav |
none |
Filter type
MSG Parse: This filter parses message content
Options
Variable |
default |
description |
SC4S_LISTEN_SYMANTEC_EP_TCP_PORT |
empty string |
Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_SYMANTEC_EP_UDP_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_SYMANTEC_EP |
no |
Enable archive to disk for this specific source |
SC4S_DEST_SYMANTEC_EP_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification
An active server will generate frequent events. Use the following search to validate events are present per source device
index=<asconfigured> sourcetype=symantec:ep:*:syslog | stats count by host
Product - ProxySG/ASG (Bluecoat)
Ref |
Link |
Splunk Add-on |
https://splunkbase.splunk.com/app/2758/ |
Product Manual |
https://support.symantec.com/us/en/article.tech242216.html |
Sourcetypes
sourcetype |
notes |
bluecoat:proxysg:access:kv |
Requires version TA 3.6 |
Sourcetype and Index Configuration
key |
sourcetype |
index |
notes |
bluecoat_proxy |
bluecoat:proxysg:access:kv |
netproxy |
none |
Filter type
MSG Parse: This filter parses message content
Setup and Configuration
- Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
- Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
- Refer to the Splunk TA documentation for the specific customer format required for proxy configuration
- Select TCP or SSL transport option
- Ensure the format of the event is customized as follows
<111>1 $(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc) $(s-computername) bluecoat - splunk_format - c-ip=$(c-ip) rs-Content-Type=$(quot)$(rs(Content-Type))$(quot) cs-auth-groups=$(cs-auth-groups) cs-bytes=$(cs-bytes) cs-categories=$(cs-categories) cs-host=$(cs-host) cs-ip=$(cs-ip) cs-method=$(cs-method) cs-uri-port=$(cs-uri-port) cs-uri-scheme=$(cs-uri-scheme) cs-User-Agent=$(quot)$(cs(User-Agent))$(quot) cs-username=$(cs-username) dnslookup-time=$(dnslookup-time) duration=$(duration) rs-status=$(rs-status) rs-version=$(rs-version) s-action=$(s-action) s-ip=$(s-ip) service.name=$(service.name) service.group=$(service.group) s-supplier-ip=$(s-supplier-ip) s-supplier-name=$(s-supplier-name) sc-bytes=$(sc-bytes) sc-filter-result=$(sc-filter-result) sc-status=$(sc-status) time-taken=$(time-taken) x-exception-id=$(x-exception-id) x-virus-id=$(x-virus-id) c-url=$(quot)$(url)$(quot) cs-Referer=$(quot)$(cs(Referer))$(quot) c-cpu=$(c-cpu) connect-time=$(connect-time) cs-auth-groups=$(cs-auth-groups) cs-headerlength=$(cs-headerlength) cs-threat-risk=$(cs-threat-risk) r-ip=$(r-ip) r-supplier-ip=$(r-supplier-ip) rs-time-taken=$(rs-time-taken) rs-server=$(rs(server)) s-connect-type=$(s-connect-type) s-icap-status=$(s-icap-status) s-sitename=$(s-sitename) s-source-port=$(s-source-port) s-supplier-country=$(s-supplier-country) sc-Content-Encoding=$(sc(Content-Encoding)) sr-Accept-Encoding=$(sr(Accept-Encoding)) x-auth-credential-type=$(x-auth-credential-type) x-cookie-date=$(x-cookie-date) x-cs-certificate-subject=$(x-cs-certificate-subject) x-cs-connection-negotiated-cipher=$(x-cs-connection-negotiated-cipher) x-cs-connection-negotiated-cipher-size=$(x-cs-connection-negotiated-cipher-size) x-cs-connection-negotiated-ssl-version=$(x-cs-connection-negotiated-ssl-version) x-cs-ocsp-error=$(x-cs-ocsp-error) x-cs-Referer-uri=$(x-cs(Referer)-uri) x-cs-Referer-uri-address=$(x-cs(Referer)-uri-address) x-cs-Referer-uri-extension=$(x-cs(Referer)-uri-extension) x-cs-Referer-uri-host=$(x-cs(Referer)-uri-host) x-cs-Referer-uri-hostname=$(x-cs(Referer)-uri-hostname) x-cs-Referer-uri-path=$(x-cs(Referer)-uri-path) x-cs-Referer-uri-pathquery=$(x-cs(Referer)-uri-pathquery) x-cs-Referer-uri-port=$(x-cs(Referer)-uri-port) x-cs-Referer-uri-query=$(x-cs(Referer)-uri-query) x-cs-Referer-uri-scheme=$(x-cs(Referer)-uri-scheme) x-cs-Referer-uri-stem=$(x-cs(Referer)-uri-stem) x-exception-category=$(x-exception-category) x-exception-category-review-message=$(x-exception-category-review-message) x-exception-company-name=$(x-exception-company-name) x-exception-contact=$(x-exception-contact) x-exception-details=$(x-exception-details) x-exception-header=$(x-exception-header) x-exception-help=$(x-exception-help) x-exception-last-error=$(x-exception-last-error) x-exception-reason=$(x-exception-reason) x-exception-sourcefile=$(x-exception-sourcefile) x-exception-sourceline=$(x-exception-sourceline) x-exception-summary=$(x-exception-summary) x-icap-error-code=$(x-icap-error-code) x-rs-certificate-hostname=$(x-rs-certificate-hostname) x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category) x-rs-certificate-observed-errors=$(x-rs-certificate-observed-errors) x-rs-certificate-subject=$(x-rs-certificate-subject) x-rs-certificate-validate-status=$(x-rs-certificate-validate-status) x-rs-connection-negotiated-cipher=$(x-rs-connection-negotiated-cipher) x-rs-connection-negotiated-cipher-size=$(x-rs-connection-negotiated-cipher-size) x-rs-connection-negotiated-ssl-version=$(x-rs-connection-negotiated-ssl-version) x-rs-ocsp-error=$(x-rs-ocsp-error) cs-uri-extension=$(cs-uri-extension) cs-uri-path=$(cs-uri-path) cs-uri-query=$(quot)$(cs-uri-query)$(quot) c-uri-pathquery=$(c-uri-pathquery)
Options
Variable |
default |
description |
SC4S_LISTEN_SYMANTEC_PROXY_TCP_PORT |
empty string |
Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_SYMANTEC_PROXY_UDP_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_SYMANTEC_PROXY |
no |
Enable archive to disk for this specific source |
SC4S_DEST_SYMANTEC_PROXY_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification
An active proxy will generate frequent events. Use the following search to validate events are present per source device
index=<asconfigured> sourcetype=bluecoat:proxysg:access:kv | stats count by host
Product - Mail Gateway (Brightmail)
Ref |
Link |
Splunk Add-on |
TBD |
Product Manual |
https://support.symantec.com/us/en/article.howto38250.html |
Sourcetypes
sourcetype |
notes |
symantec:smg |
Requires version TA 3.6 |
Sourcetype and Index Configuration
key |
sourcetype |
index |
notes |
symantec_brightmail |
symantec:smg |
email |
none |
Filter type
MSG Parse: This filter parses message content
Setup and Configuration
- No TA available
- Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
- Refer to the Splunk TA documentation for the specific customer format required for proxy configuration
- Select TCP or SSL transport option
- Ensure the format of the event is customized per Splunk documentation
Options
Variable |
default |
description |
SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_TCP_PORT |
empty string |
Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_SYMANTEC_BRIGHTMAIL_UDP_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_SYMANTEC_BRIGHTMAIL |
no |
Enable archive to disk for this specific source |
SC4S_DEST_SYMANTEC_BRIGHTMAIL_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |
SC4S_SOURCE_FF_SYMANTEC_BRIGHTMAIL_GROUPMSG |
yes |
Email processing events generated by the bmserver process will be grouped by host+program+pid+msg ID into a single event |
### Verification |
|
|
An active mail server will generate frequent events. Use the following search to validate events are present per source device
index=<asconfigured> sourcetype=symantec:smg | stats count by host
Product - Data Loss Prevention
Ref |
Link |
Splunk Add-on Symatec DLP |
https://splunkbase.splunk.com/app/3029/ |
Add-on Manual |
http://docs.splunk.com/Documentation/AddOns/latest/SymantecDLP/About |
Sourcetypes
sourcetype |
notes |
symantec:dlp:syslog |
None |
Index Configuration
key |
sourcetype |
index |
notes |
symantec_dlp |
symantec:dlp:syslog |
netauth |
none |
Filter type
MSG Parse: This filter parses message content
Options
Variable |
default |
description |
SC4S_LISTEN_SYMANTEC_DLP_UDP_PORT |
empty string |
Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_SYMANTEC_DLP_TCP_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_SYMANTEC_DLP |
no |
Enable archive to disk for this specific source |
SC4S_DEST_SYMANTEC_DLP_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification
An active mail server will generate frequent events. Use the following search to validate events are present per source device
index=<asconfigured> sourcetype=symantec:dlp:syslog | stats count by host