Unable to forward events to Splunk after upgrading to EDR 4.8
Article ID: 271015
Updated On:
Products
Issue/Introduction
After upgrading from SEDR (Symantec Endpoint Detection and Response) 4.6x to 4.8-- the following error is reported from the System Health Monitor
"Unable to forward events to Splunk. Verify your Splunk configuration settings"
After generating a diagnostics report and examining the contents of ".\Catch-all\SEV1\LOGS\_var_log_symantec_sgs-td\central_manager.log" the following chain of events is found throughout the logs:
2023-07-15 18:38:41,538 ERROR org.springframework.amqp.rabbit.config.ListenerContainerFactoryBean#0-1 (EventForwarderClientImpl.java:executeRequest:162) IOException: Unable to validate webhook host. javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2023-07-15 18:38:41,538 ERROR org.springframework.amqp.rabbit.config.ListenerContainerFactoryBean#0-1 (SyslogSender.java:sendEventsToSyslog:146) Failed to post events to Syslog server <ip address>:6061
Environment
Release : 4.8.0-476
Cause
In this case the schema for the application receiving the events could not handle the new/changed data fields from the EDR 4.8 schema.
Resolution
Use the information from the published changes in the 4.8 schema to modify your application to be able to receive and process the events being forwarded from the SEDR 4.8 appliance.
Feedback
