Skip Navigation
  1. BlackBerry Docs
  2. Cylance products
  3. CylancePROTECT Application for Splunk Administration Guide
  4. Troubleshooting the CylancePROTECT Application for Splunk
  5. Troubleshoot syslog consumption

Troubleshoot syslog consumption

If data does not populate in the syslog dashboard, do the following:
  • If your organization uses a distributed
    Splunk
     environment, verify that syslog consumption is configured on the forwarder and that the
    Splunk
     environment is running on version 7.2 or later.
  • Verify that the latest version of the
    CylancePROTECT
     Application for
    Splunk
     is installed on the
    Splunk
     search head and that the matching version of the technology add-on is installed on indexers and forwarders.
  • Verify that the index name is either
    cylance_protect
     or
    protect
     to match the inputs.conf file.
  • Verify that the incoming source type define in inputs.conf is
    syslog_protect
    .
  • Confirm that the eventtype.conf file, which populates the dashboards, has not been altered.
  • Verify that the macro
    cylance_index
    , which searches for
    Cylance
     data, has not been altered.
  • On the
    Splunk
     homepage, in the vertical menu bar, click
    Search & Reporting
    . Set the time preset to
    All Time (real-time)
    , then run the
    eventtype=cylance_index sourcetype=syslog*
     command.
Outcome
Actions to resolve
No data is returned.
  • Click
    Test Connection
     in the
    Cylance
     console. You should see a
    Test Connection Successful
     message.
  • Verify that the port is open to receive syslog data. For example, for port 651, you should use the
    netstat – an |grep 6514
     command.
  • Confirm that no network or host firewalls are blocking traffic. You may need to configure layer 7 firewalls to receive TLS/SSL traffic.
  • Use a packet sniffer to verify that syslog is successfully connected and that data is passing through your networks.
  • If the
    Splunk
     environment uses a syslog daemon to write the data to a file first, ensure that the data is being written to the file as expected.
Data is returned but is illegible.
Verify that the TLS configuration is consistent in the
Cylance
 console and in
Splunk
. For example, the TLS/SSL check box is selected in the
Cylance
 console and tcp-ssl is used in the
Splunk
 inputs.conf file.
Data is only returned from the syslog_protect source type.
Verify that the app is installed on the forwarder and search head so that the props.conf and transforms.conf take effect and properly rename
sourcetype=syslog_protect
 to another source type name, based on the content of the event.