Unable to forward events to Splunk after upgrading to EDR 4.8
search cancel

Unable to forward events to Splunk after upgrading to EDR 4.8


Article ID: 271015


Updated On:


Endpoint Detection and Response


After upgrading from SEDR (Symantec Endpoint Detection  and Response) 4.6x to 4.8-- the following error is reported from the System Health Monitor

"Unable to forward events to Splunk. Verify your Splunk configuration settings"


After generating a diagnostics report and examining the contents of ".\Catch-all\SEV1\LOGS\_var_log_symantec_sgs-td\central_manager.log" the following chain of events is found throughout the logs:

2023-07-15 18:38:41,538 ERROR org.springframework.amqp.rabbit.config.ListenerContainerFactoryBean#0-1 (EventForwarderClientImpl.java:executeRequest:162) IOException: Unable to validate webhook host. javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2023-07-15 18:38:41,538 ERROR org.springframework.amqp.rabbit.config.ListenerContainerFactoryBean#0-1 (SyslogSender.java:sendEventsToSyslog:146) Failed to post events to Syslog server <ip address>:6061


Release : 4.8.0-476


In this case the schema for the application receiving the events could not handle the new/changed data fields from the EDR 4.8 schema.


Use the information from the published changes in the 4.8 schema to modify your application to be able to receive and process the events being forwarded from the SEDR 4.8 appliance.