Splunk® Supported Add-ons

Splunk Add-on for Symantec Endpoint Protection

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Upgrade the Splunk Add-on for Symantec Endpoint Protection to 3.1.0 or later

  1. Disable your existing SEP 3.0.1 inputs.
  2. Upgrade the Symantec EP 3.0.1 to Symantec EP 3.1.0 or later.
  3. if you have configured TA-Symantec-EP-Syslog and Symantec EP 3.0.1 TAs in the same environment:
    1. Disable TA-Symantec-EP-Syslog TA.
    2. Stop the Splunk instance.
    3. Copy your disabled input stanzas from $SPLUNK_HOME/etc/apps/TA-Symantec-EP-Syslog/local/inputs.conf into $SPLUNK_HOME/etc/apps/Splunk_TA_symantec-ep/local/inputs.conf.
  4. Remove malware input of Symantec-EP TA from $SPLUNK_HOME/etc/apps/Splunk_TA_symantec-ep/local/inputs.conf.
  5. Enable your inputs.

The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons. The older add-ons are still required in order to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.

Last modified on 09 January, 2023
PREVIOUS
Install the Splunk Add-on for Symantec Endpoint Protection 		  NEXT
Configure Symantec Endpoint Manager inputs for the Splunk Add-on for Symantec Endpoint Protection

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters