Configure Symantec Endpoint Manager inputs for the Splunk Add-on for Symantec Endpoint Protection

The Splunk Add-on for Symantec Endpoint Protection monitors local dump files produced by your Symantec Endpoint Manager. If you have not already done so, follow the Symantec documentation to export your log data to dump files. Make a note of the path to the files.

You can configure monitor inputs using the configuration files (recommended) or via the Splunk Web UI, if you have one available on your collection node.

Configure monitor inputs in inputs.conf

1. Open or create %SPLUNK_HOME%\etc\apps\Splunk_TA_symantec-ep\local\inputs.conf.
2. Paste the following stanzas at the end of the file, without deleting anything already there.

   [monitor://<<path_to_temp_dump_file_directory>>\scm_admin.tmp]
   sourcetype = symantec:ep:admin:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\agt_behavior.tmp]
   sourcetype = symantec:ep:behavior:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\scm_agent_act.tmp]
   sourcetype = symantec:ep:agent:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\scm_policy.tmp]
   sourcetype = symantec:ep:policy:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\scm_system.tmp]
   sourcetype = symantec:ep:scm_system:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\agt_packet.tmp]
   sourcetype = symantec:ep:packet:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\agt_proactive.tmp]
   sourcetype = symantec:ep:proactive:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\agt_risk.tmp]
   sourcetype = symantec:ep:risk:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\agt_scan.tmp]
   sourcetype = symantec:ep:scan:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\agt_security.tmp]
   sourcetype = symantec:ep:security:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\agt_system.tmp]
   sourcetype = symantec:ep:agt_system:file
   disabled = false
   
   [monitor://<<path_to_temp_dump_file_directory>>\agt_traffic.tmp]
   sourcetype = symantec:ep:traffic:file
   disabled = false
   

3. In each stanza, replace <<path_to_temp_dump_file_directory>> with the actual path of your *.tmp dump files. The default directory is %SEPM_HOME%\data\dump, but your path may differ.
4. Save the file.
5. If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
6. Restart Splunk Enterprise.

Configure monitor inputs using Splunk Web

1. On your data collection node, go to Settings > Data inputs > Files & directories.
2. Click New.
3. Click Browse and navigate to the first of the log files listed on the Source types page.
4. Click Next.
5. On the Input Settings page, next to Source type, click Select. In the Select Source Type dropdown, select the Network & Security category, then select the corresponding source type for this log file from the Source types page. Or, begin typing symantec to see a list of source types beginning with symantec.
6. Click Review to review your input configuration.
7. Click Submit.
8. Repeat steps 2 - 7 for each of the additional dump files that you want to monitor.