Version

Cb Defense (formerly Confer) - All

Topic

This document provides information on how to collect logs to troubleshoot SPLUNK SIEM Connector issues

Splunk SIEM Connector Troubleshooting

Note:

This is not typically requested by support to the customer, but if this change can be made by a System Admin, it will facilitate faster troubleshooting if this can be done and logs can be provided.

LINUX SIEM Connector:

Debug Log:

On the confer_connector.py:

/opt/splunk/etc/apps/confer_connector/bin/confer_connector.py

Modify

DEBUG_MODE = False

to

DEBUG_MODE = True

Note:

SPLUNK_HOME environment variable is normally set by default to:

/opt/splunk

The log files are located in:

Confer Connector log file

$SPLUNK_HOME/var/log/splunk/confer_connector.log

Cb Defense Add-On for Splunk log file

$SPLUNK_HOME/var/log/splunk/ta-cb_defense_cbdefense_XXXX.log, ta-cb_defense_cbdefense_XXXX.log.1, ta-cb_defense_cbdefense_XXXX.log.2, etc..

Windows SIEM Connector:

The Log Level is set to Info by default. On the connector script that you downloaded, modify the log level.

Modify

LOG_LEVEL=Info

to

LOG_LEVEL=Verbose

to obtain more verbose connector logs.

The log files are located in:

%WINDOWS_TEMP%\confer_connector.log