Critical System Protection

Hello,

I am trying to find out if Symantec CSP's FIM component can feed into Splunk. Does anyone have any experience with this or know if this would be possible?

According to Splunk, they can injest any log file as long as they are in text format. Are the log files from the FIM in text format? Your response will be greatly appreciated.

Thanks,

Hi Tony,

Event can be exported from the management server to a csv style file.  Log files are found on the agents and optionally sent to the management server.  These are also a csv type file.

Does this help?

Yes, very helpful. Thank you Will!

Chuck is spot on...the best way would be to automate a feed directly from SQL into Splunk.

As CSP leverages 'flex' fields and 'code' fields, presenting usable data in Splunk can be a challenge if you're not familiar with the the CSP event field structure.

It can be done...but will require a little bit of effort to automate.  If you are going to pursue this path, feel free to ping me.

You can also query data directly from the CSPEVENT table in SQL.  There is a read-only SQL account (scsp_plugin) that SCSP creates at install that you can use to pull the data at a specified increment.  Because it is read-only, there is no risk to the database.

A little more tricky method (and would require a DBA), is to create a database trigger that pushes the data.  This would result in the events being added to the 3rd party tool in real-time.

Okay, sounds good. Thanks a lot for your contribution. Have a great weekend!

I've done this implementation before, I created alerts to spit out csv files onto the manager for a splunk collector to interrogate, the advantage of using alerts is you get the information you want, not all of the fields which might not be required with splunk