Splunk® Enterprise

Add Symantec Endpoint Protection data: Splunk Cloud

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Install a heavy forwarder on your Symantec Endpoint Protection instance

To forward your data into a Splunk Cloud instance, install a Splunk heavy forwarder on your Symantec Endpoint Protection host.

To install a heavy forwarder using Linux and connect it to your Splunk Cloud deployment, perform the following steps:

  1. Download and install a full Splunk Enterprise instance.
  2. Enable your Splunk Enterprise instance as a heavy forwarder.

Install and configure a heavy forwarder for Linux

Download the Linux version of Splunk Enterprise.

To install Splunk Enterprise on a heavy forwarder, follow these steps:

  1. Untar the Splunk Enterprise file into an appropriate directory:
    tar xvzf splunk_package_name.tgz
    

    The default installation directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

    tar xvzf splunk_package_name.tgz -C /opt
    
  2. A command line window prompts you to create an administrator password. Type the password when prompted. You need this password for your initial Splunk Enterprise login.
    This appears to be your first time running this version of Splunk.
    
    An Admin password must be set before installation proceeds.
    

Set up heavy forwarding

Per the previous steps, you should already be logged into Splunk Web as admin on the instance that will be forwarding data.

  1. If necessary, log into Splunk Web as admin on the instance that will be forwarding data.
  2. Click Settings > Forwarding and receiving.
  3. At Configure forwarding, click Add new.
  4. Enter the hostname or IP address for the receiving Splunk instance(s), along with the receiving port specified when the receiver was configured. For example, you might enter receivingserver.com:9997.
  5. Click Save.
  6. Restart Splunk Web.

Configure your heavy forwarder to index and forward data

Use the heavy forwarder to index your data locally and to forward the data to another index.

  1. Log into Splunk Web as admin on the instance that will be forwarding data.
  2. Click Settings > Forwarding and receiving.
  3. Select Forwarding defaults.
  4. Select Yes to store and maintain a local copy of the indexed data on the forwarder.


Install and configure a heavy forwarder for Microsoft Windows

To install a heavy forwarder using Microsoft Windows and connect it to your Splunk deployment, perform the following steps:

  1. Enable a receiver.
  2. Download and install a Splunk Enterprise instance on to the host of your data source.
  3. Enable forwarding on your Splunk Enterprise instance.

Enable a receiver using Splunk Web

  1. Log into the instance that you want to be a receiver as the admin user or an administrative equivalent.
  2. In the system bar, click Settings > Forwarding and receiving.
  3. At Configure receiving, click Add new.
  4. Specify the TCP network port that you want the receiver to listen on. This is the listening port, and is also known as the receiving port.
  5. Click Save.
  6. Restart Splunk software for the changes to take effect.

Set up receiving with configuration files

Enable receiving on your Splunk Enterprise instance by configuring the inputs.conf configuration file. inputs.conf must reside in the %SPLUNK_HOME%/etc/system/local directory. You might need to create this file if it does not exist.

  1. With a text editor, open inputs.conf in %SPLUNK_HOME%\etc\system\local.
  2. Add a [splunktcp] stanza that specifies the receiving port. In this example, the receiving port is 9997:
    [splunktcp://9997]
    disabled = 0
    
  3. Restart your Splunk software for the changes to take effect.

The forms [splunktcp://9997] and [splunktcp://:9997] with one colon or two colons are equivalent.

Download and install a Splunk Enterprise instance on to your heavy forwarder

  1. Download the Windows version of Splunk Enterprise.
  2. To start the installer, double-click the splunk.msi file. The installer runs and displays the Splunk Enterprise Installer panel.
  3. Check Check this box to accept the License Agreement. This activates the Customize Installation and Install buttons.
  4. Choose your installation options. Select nstall with the default settings:
    • Installs Splunk Enterprise in \Program Files\Splunk on the system drive (the drive that boots your Windows system.)
    • Installs Splunk Enterprise with the default management and Web ports.
    • Configures Splunk Enterprise to run as the Local System user.
    • Creates a Start Menu shortcut for the software.
  5. Click Install to proceed with the installation.

Install on Windows with the Command Line Interface (CLI)


Run msiexec.exe to install Splunk Enterprise from the command line or a PowerShell prompt.

For 64-bit platforms, use splunk-<...>-x64-release.msi:

msiexec.exe /i splunk-<...>-x64-release.msi [<flag>]... [/quiet]

The value of <...> varies according to the specific release. For example, splunk-6.3.2-aaff59bb082c-x64-release.msi.

Command-line flags let you configure Splunk Enterprise at installation. Using command-line flags, you can specify a number of settings, including but not limited to:

  • Which Windows event logs to index
  • Which Windows Registry hives to monitor
  • Which Windows Management Instrumentation (WMI) data to collect
  • The user Splunk Enterprise runs as. See Choose the Windows user Splunk Enterprise should run as for information about what type of user you should install your Splunk instance to run with
  • An included application configuration for Splunk to enable
  • Whether Splunk Enterprise should start automatically when the installation is finished

Enable your Splunk Enterprise instance as a heavy forwarder with Splunk Web

  1. Log into Splunk Web as admin on the instance that is to forward data.
  2. In the system bar, click Settings > Forwarding and receiving.
  3. Click Add new at Configure forwarding.
  4. Enter the hostname or IP address for the receiving Splunk instance(s), along with the receiving port that you specified when you configured the receiver.
  5. Click Save.
  6. Restart.

Configure heavy forwarders to index and forward data

  • Log into Splunk Web as admin on the instance that will be forwarding data.
  • Click the Settings > Forwarding and receiving.
  • Select Forwarding defaults.
  • Select Yes to store and maintain a local copy of the indexed data on the forwarder.

    All other configuration must be done in outputs.conf.

    Set up heavy forwarding with the CLI

    With the CLI, enable forwarding on the Splunk Enterprise instance as follows, then configure forwarding to a specified receiver.

    1. On the machine that you want to forward data, open a command prompt or PowerShell window.
    2. From the command prompt or PowerShell window, navigate to %SPLUNK_HOME%\bin.
    3. Type in the following to enable forwarding: msiexec.exe /i Splunk.msi SPLUNK_APP="SplunkForwarder" FORWARD_SERVER="<server:port>"
    4. Restart Splunk Enterprise.
  • Last modified on 07 December, 2018
    Introduction   Install the Splunk Add-on for Symantec Endpoint Protection on to your Splunk Cloud deployment

    This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


    Was this topic useful?







    You must be logged into splunk.com in order to post comments. Log in now.

    Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

    0 out of 1000 Characters