Splunk® Supported Add-ons

Splunk Add-on for Symantec Endpoint Protection

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Symantec Endpoint Manager inputs for the Splunk Add-on for Symantec Endpoint Protection

The Splunk Add-on for Symantec Endpoint Protection monitors local dump files produced by your Symantec Endpoint Manager. If you have not already done so, follow the Symantec documentation to export your log data to dump files. Make a note of the path to the files.

You can configure monitor inputs using the configuration files (recommended) or via the Splunk Web UI, if you have one available on your collection node.

Configure monitor inputs in inputs.conf

  1. Open or create %SPLUNK_HOME%\etc\apps\Splunk_TA_symantec-ep\local\inputs.conf.
  2. Paste the following stanzas at the end of the file, without deleting anything already there.
    [monitor://<<path_to_temp_dump_file_directory>>\scm_admin.tmp]
    sourcetype = symantec:ep:admin:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_behavior.tmp]
    sourcetype = symantec:ep:behavior:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_agent_act.tmp]
    sourcetype = symantec:ep:agent:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_policy.tmp]
    sourcetype = symantec:ep:policy:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_system.tmp]
    sourcetype = symantec:ep:scm_system:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_packet.tmp]
    sourcetype = symantec:ep:packet:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_proactive.tmp]
    sourcetype = symantec:ep:proactive:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_risk.tmp]
    sourcetype = symantec:ep:risk:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_scan.tmp]
    sourcetype = symantec:ep:scan:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_security.tmp]
    sourcetype = symantec:ep:security:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_system.tmp]
    sourcetype = symantec:ep:agt_system:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_traffic.tmp]
    sourcetype = symantec:ep:traffic:file
    disabled = false
    
  3. In each stanza, replace <<path_to_temp_dump_file_directory>> with the actual path of your *.tmp dump files. The default directory is %SEPM_HOME%\data\dump, but your path may differ.
  4. Save the file.
  5. If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
  6. Restart Splunk Enterprise.

Configure monitor inputs using Splunk Web

  1. On your data collection node, go to Settings > Data inputs > Files & directories.
  2. Click New.
  3. Click Browse and navigate to the first of the log files listed on the Source types page.
  4. Click Next.
  5. On the Input Settings page, next to Source type, click Select. In the Select Source Type dropdown, select the Network & Security category, then select the corresponding source type for this log file from the Source types page. Or, begin typing symantec to see a list of source types beginning with symantec.
  6. Click Review to review your input configuration.
  7. Click Submit.
  8. Repeat steps 2 - 7 for each of the additional dump files that you want to monitor.
Last modified on 21 July, 2021
PREVIOUS
Upgrade the Splunk Add-on for Symantec Endpoint Protection to 3.1.0 or later
  NEXT
Troubleshoot the Splunk Add-on for Symantec Endpoint Protection

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters