Hello,
We lost over a month trying to figure out why we could not get SEPM logs to be processed. We have everything set as in TechNote for SEPM, SpanVA working OK and sending logs to CloudSOC, but we always end up with error "
Input file does not contain log messages required by Audit". At the end we found that flex definition for SEPM is for old version of SEPM and to be able to work you will need to create new Data Source with custom (Elastica Flex) config. Here is the one that works for us (SEP 14.2):
- {"datetime_format":"yyyy-MM-dd HH:mm:ss","dst_rex":",Remote Host IP: ((?:[0-9][0-9]*[0-9]*.[0-9][0-9]*[0-9]*.[0-9][0-9]*[0-9]*.)[0-9][0-9]*[0-9]*)","action_rex":"Action: (.*?)$","user_rex":",User Name: (.*?),","bytes_val":"1","url_rex":"Remote.*?Remote Host Name:(.*?),Remote.*?,Remote.*?,","logformat":"rex","src_rex":",Local Host IP: ((?:[0-9][0-9]*[0-9]*.[0-9][0-9]*[0-9]*.[0-9][0-9]*[0-9]*.)[0-9][0-9]*[0-9]*)","trim_tokens":"true","datetime_rex":",End Time: (.*?),","action_blockedmatch":"Blocked"}
Problem with the original one is that RegEx could not "catch" Remote:, Local:... etc. since in the syslog from SEPM server those are not "Remote:" and "Local:" but "Remote Host IP:" and "Local Host IP:"
For me, it is strange that Broadcom/Symantec did not updated support/connector/data source for their own product, SEPM and even more that no one else have a problem with connecting SEPM over SpanVA with CloudSOC?
Vladimir Vucinic
------------------------------
Net++ technology d.o.o.
------------------------------