Splunk® Supported Add-ons

Splunk Add-on for Symantec Endpoint Protection

Source types for the Splunk Add-on for Symantec Endpoint Protection

The Splunk Add-on for Symantec Endpoint protection collects data from:

  • Local SEPM dump files
  • Splunk Connect for Syslog

Splunk Add-on for Symantec Endpoint Protection applies the following source types to your monitor inputs:

Source type Description CIM compatibility
symantec:ep:behavior:file Application and device control log data from agt_behavior.tmp. Intrusion Detection
symantec:ep:agent:file Server client log data from scm_agent_act.tmp. Change
symantec:ep:scm_system:file Server system data from scm_system.tmp. Change,

Authentication, Alerts

symantec:ep:proactive:file Client proactive threat log data from agt_proactive.tmp. Malware
symantec:ep:risk:file Client risk log data from agt_risk.tmp. Malware
symantec:ep:scan:file Client scan log data from agt_scan.tmp. Alerts
symantec:ep:security:file Client security log data from agt_security.tmp. Intrusion Detection,

Alerts

symantec:ep:agt_system:file Client system log data from agt_system.tmp. Change, Alerts,

Intrusion Detection

symantec:ep:policy:file Server policy log data from scm_policy.tmp. Change
symantec:ep:admin:file Server administration log data from scm_admin.tmp. Authentication, Change
symantec:ep:traffic:file Client traffic log data from agt_traffic.tmp. Network Traffic
symantec:ep:packet:file Client packet log data from agt_packet.tmp. Network Traffic
symantec:ep:admin:syslog Server administration log data from scm_admin syslog. Authentication, Change
symantec:ep:agent:syslog Server client log data from scm_agent_act syslog.
symantec:ep:agt:system:syslog Client system log data from agt_system syslog. Change, Alerts,

Inventory, Network Traffic

symantec:ep:behavior:syslog Application and device control log data from agt_behavior syslog. Intrusion Detection
symantec:ep:packet:syslog Client packet log data from agt_packet syslog. Network Traffic
symantec:ep:policy:syslog Server policy log data from scm_policy syslog. Change
symantec:ep:proactive:syslog Client proactive threat log data from agt_proactive syslog. Malware
symantec:ep:risk:syslog Client risk log data from agt_risk syslog. Malware
symantec:ep:scan:syslog Client scan log data from agt_scan syslog. Alerts
symantec:ep:scm:system:syslog Server system data from scm_system syslog. Change,

Authentication, Alerts

symantec:ep:security:syslog Client security log data from agt_security syslog. Intrusion Detection,

Alerts

symantec:ep:traffic:syslog Client traffic log data from agt_traffic syslog. Network Traffic
Last modified on 09 January, 2023
Troubleshoot the Splunk Add-on for Symantec Endpoint Protection   Lookups for the Splunk Add-on for Symantec Endpoint Protection

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters