Install the Splunk Add-on for Symantec Endpoint Protection
- Get the Splunk Add-on for Symantec Endpoint Protection by downloading it from https://splunkbase.splunk.com/app/2772/ or browsing to it using the app browser within Splunk Web.
- Determine where and how to install this add-on in your deployment, using the tables on this page.
- Perform any prerequisite steps before installing, if required and specified in the tables below.
- Complete your installation.
If you need step-by-step instructions on how to install an add-on in your specific deployment environment, see the installation walkthroughs section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.
Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
Where to install this add-on
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform.
|Splunk platform instance type||Supported||Required||Actions required / Comments|
|Search Heads||Yes||Yes||Install this add-on to all search heads where Symantec Endpoint Protection knowledge management is required. |
If you want to automatically update the malware categories lookup file with the latest list of threats from Symantec, you also need to perform the add-on setup on the search heads.
|Indexers||Yes||Conditional||Not required if you use heavy forwarders to collect data. Required if you use universal forwarders to collect data.|
|Heavy Forwarders||Yes||No||Any kind of forwarder can be used. Forwarder must be installed directly on the server running Symantec Endpoint Protection in order to monitor dump files.|
Distributed deployment feature compatibility
This table describes the compatibility of this add-on with Splunk distributed deployment features.
|Distributed deployment feature||Supported||Actions required|
|Search Head Clusters||Yes||Search head clusters are supported only if you are using Splunk platform version 6.3.0 or later. You can install this add-on on a search head cluster for all search-time functionality. Before installing this add-on to a cluster, make the following changes to the add-on package: |
1. If the
2. If the
If you want to automatically update the malware categories lookup file with the latest list of threats from Symantec, you also need to perform the add-on setup on the search head cluster members.
|Indexer Clusters||Yes||Before installing this add-on to a cluster, make the following changes to the add-on package: |
1. If the
2. If the
|Deployment Server||Yes||Supported for deploying the configured add-on.|
See Installing add-ons in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:
Installation and configuration overview for the Splunk Add-on for Symantec Endpoint Protection
Configure Syslog data using Splunk Connect for Syslog
This documentation applies to the following versions of Splunk® Supported Add-ons: released