Troubleshoot Syslog consumption
SplunkSyslog data if the dashboards do not populate.
- If in a distributedSplunkenvironment, ensure that you are configuring syslog consumption on the Forwarder and that theSplunkenvironment is running version 6.2 or higher.
- Ensure the latest version of the app is installed on theSplunkSearch Head. Ensure the matching version of the TA is installed on Indexers and Forwarder.If the Threat Data Report (TDR) is desired, a Heavy Forwarder will be required due to scripted inputs.
- Ensure the index name is eithercylance_protect(preferred) orprotectto match the inputs.conf file.
- Ensure the incoming sourcetype defined in inputs.conf issyslog_protect.
- Ensure eventtypes.conf has not been altered since this populates the dashboards. Then ensure that the macro cylance_index has not been altered as this needs to search the index that containsCylancedata – usually cylance_protect or protect.
- Go toSplunksearch box, select All Time, then type:eventtype=cylance_index sourcetype=syslog*If no data is returned (example: no results found for this particular query):
- Click Test Connection hyperlink in theBlackBerrytenant. You should see Test Connection Successful.
- Ensure port is open to receive syslog data. For example, assuming 6514 is being used,netstat – an | grep 6514.
- Ensure no network or host firewalls are blocking traffic. Layer 7 firewalls may need to be told to expect TLS/SSL traffic.
If data is returned but is illegible (example: boxes instead of text):
- Use a packet sniffer such as Wireshark to verify the connection is made and data is passed.
- If using a syslog daemon to write the data to a file first, ensure data is being written to the file.
- Go toSplunksearch box select All Time, then type:eventtype=cylance_index sourcetype=syslog*
If only syslog_protect data is returned and no other sourcetype (examples: syslog_app_control, syslog_audit_log, or syslog_devices):
- Ensure TLS matches in tenant andSplunk. For example: TLS/SSL checkbox is checked in theBlackBerrytenant and tcp-ssl is used in the Splunk inputs.conf file.
- Ensure the app is installed on the forwarder and search head so the props.conf and transforms.conf take effect and properly renamesourcetype=syslog_protectto another sourcetype name, based on the content of the event.