Troubleshoot Syslog consumption Skip Navigation

Troubleshoot Syslog consumption

Troubleshoot the
Cylance
Splunk
Syslog data if the dashboards do not populate.
  1. If in a distributed
    Splunk
    environment, ensure that you are configuring syslog consumption on the Forwarder and that the
    Splunk
    environment is running version 6.2 or higher.
  2. Ensure the latest version of the app is installed on the
    Splunk
    Search Head. Ensure the matching version of the TA is installed on Indexers and Forwarder.
    If the Threat Data Report (TDR) is desired, a Heavy Forwarder will be required due to scripted inputs.
  3. Ensure the index name is either
    cylance_protect
    (preferred) or
    protect
    to match the inputs.conf file.
  4. Ensure the incoming sourcetype defined in inputs.conf is
    syslog_protect
    .
  5. Ensure eventtypes.conf has not been altered since this populates the dashboards. Then ensure that the macro cylance_index has not been altered as this needs to search the index that contains
    Cylance
    data – usually cylance_protect or protect.
  6. Go to
    Splunk
    search box, select All Time, then type:
    eventtype=cylance_index sourcetype=syslog*
    If no data is returned (example: no results found for this particular query):
    1. Click Test Connection hyperlink in the
      BlackBerry
      tenant. You should see Test Connection Successful.
    2. Ensure port is open to receive syslog data. For example, assuming 6514 is being used,
      netstat – an | grep 6514
      .
    3. Ensure no network or host firewalls are blocking traffic. Layer 7 firewalls may need to be told to expect TLS/SSL traffic.
    • Use a packet sniffer such as Wireshark to verify the connection is made and data is passed.
    • If using a syslog daemon to write the data to a file first, ensure data is being written to the file.
    • Go to
      Splunk
      search box select All Time, then type:
      eventtype=cylance_index sourcetype=syslog*
    If data is returned but is illegible (example: boxes instead of text):
    1. Ensure TLS matches in tenant and
      Splunk
      . For example: TLS/SSL checkbox is checked in the
      BlackBerry
      tenant and tcp-ssl is used in the Splunk inputs.conf file.
    If only syslog_protect data is returned and no other sourcetype (examples: syslog_app_control, syslog_audit_log, or syslog_devices):
    1. Ensure the app is installed on the forwarder and search head so the props.conf and transforms.conf take effect and properly rename
      sourcetype=syslog_protect
      to another sourcetype name, based on the content of the event.