Troubleshoot syslog consumption
If data does not populate in the syslog dashboard, do the following:
- If your organization uses a distributedSplunkenvironment, verify that syslog consumption is configured on the forwarder and that theSplunkenvironment is running on version 7.2 or later.
- Verify that the latest version of theCylancePROTECTApplication forSplunkis installed on theSplunksearch head and that the matching version of the technology add-on is installed on indexers and forwarders.
- Verify that the index name is eithercylance_protectorprotectto match the inputs.conf file.
- Verify that the incoming source type define in inputs.conf issyslog_protect.
- Confirm that the eventtype.conf file, which populates the dashboards, has not been altered.
- Verify that the macrocylance_index, which searches forCylancedata, has not been altered.
- On theSplunkhomepage, in the vertical menu bar, clickSearch & Reporting. Set the time preset toAll Time (real-time), then run theeventtype=cylance_index sourcetype=syslog*command.
Actions to resolve
No data is returned.
Data is returned but is illegible.
Verify that the TLS configuration is consistent in the
Cylanceconsole and in
Splunk. For example, the TLS/SSL check box is selected in the
Cylanceconsole and tcp-ssl is used in the
Data is only returned from the syslog_protect source type.
Verify that the app is installed on the forwarder and search head so that the props.conf and transforms.conf take effect and properly rename
sourcetype=syslog_protectto another source type name, based on the content of the event.