// status file name mapping { 'wb': 'status-7a30d9b1a63aa0e9e48ba68fd128de222c30932d.json', 'audit log': 'status-2fdf9e424a12cf53161ec320883dbd717334411e.json', 'oat': 'status-2eb1d0f9f55d3c1456ad342f010fabcf0ffdc247.json' }

Collecting Splunk debug logs in Trend Vision One

Product / Version includes:

Trend Vision OneAll

Last updated: 2023/08/04

Solution ID: KA-0015059

Category: Troubleshoot

Summary

Learn how to collect Splunk debug logs to help with troubleshooting or configuration in Trend Vision One.

There are two methods to collect Splunk debug logs:

Get raw logs from Linux server.
cd /opt/splunk/var/log/splunk/
sudo cat /opt/splunk/var/log/splunk/xdr_splunk_trendmicro_v1_observed_attack_techniques.log | tail -n 10sudo tail -f /opt/splunk/var/log/splunk/xdr_splunk_trendmicro_v1_observed_attack_techniques.log

XDR Splunk log saved path: "/opt/splunk/var/log/splunk/xdr_splunk_*"

App root path: cd /opt/splunk/etc/apps/xdr_splunk/

Checkpoint data folder: cd /opt/splunk/etc/apps/xdr_splunk/data
```
// status file name mapping
{
  'wb': 'status-7a30d9b1a63aa0e9e48ba68fd128de222c30932d.json',
  'audit log': 'status-2fdf9e424a12cf53161ec320883dbd717334411e.json',
  'oat': 'status-2eb1d0f9f55d3c1456ad342f010fabcf0ffdc247.json'
}
```
Get raw logs from Splunk Search Interface (recommended):
1. Click into Splunk Search APP and perform the query.
  
  As an example:
  
  Fetch OAT debug log: "index=_internal \[TrendMicro OAT\]"
2. You may set the time range.
3. To get Workbench debug log:
  "index=_internal \[TrendMicro XDR\]"
  
  To get Audit Log debug log:
  
  "index=_internal \[TrendMicro Audit\]"
  
  To get all debug and exception logs (also some unhandled error logs):
  
  "index=_internal sourcetype=xdr_splunk*"

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Collecting Splunk debug logs in Trend Vision One

Collecting Splunk debug logs in Trend Vision One

Product / Version includes:

Summary