Splunk SIEM using the Symantec WSS  Transfer Agent seemingly failed and then eventually recovered.

The WSS Splunk app modular inputs logs written to $SPLUNK_HOME/etc/var/log/scwss/scwss-poll.log showed error:

ERROR 140501843720000 - 2021-12-05 03:51:59 status=error, msg='Server failed to fulfill the request', code='500'

ERROR 139975231018816 - 2021-12-05 04:02:48 status=error, msg='Server failed to fulfill the request', code='500'

ERROR 140010127738688 - 2021-12-05 04:23:15 status=error, msg='Server failed to fulfill the request', code='500'

Web Security Service

Near Real-Time Log SyncAPI

WSS App and add-on for Splunk

A 500 status code happens due to a SyncAPI internal server error.

An internal Web Security Service error prevented the download. The client might need to wait a while before repeating the request.

All 500-level responses suggest that the client can repeat the last token when the service becomes available.

• Symantec Splunk Apps landing page and the WSS App for Splunk documentation for more details.
• Near Real-Time Sync API documentation for assistance with proper implementation.