Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise.
For documentation on the most recent version, go to the latest release.
Configure monitor inputs for the Splunk Add-on for Symantec Endpoint Protection
The Splunk Add-on for Symantec Endpoint Protection monitors local dump files produced by your Symantec Endpoint Manager.
To configure this input, install a universal forwarder on the machine running Symantec Endpoint Manager. You must also know the path to your Symantec Endpoint Manager dump files.
Configure monitor inputs using configuration files
- On your Windows host, open or create the
%SPLUNK_HOME%\etc\apps\Splunk_TA_symantec-ep\local\inputs.conffile. - Without deleting anything that is already in the file, paste the following stanzas at the end of the file:
[monitor://<<path_to_temp_dump_file_directory>>\scm_admin.tmp] sourcetype = symantec:ep:admin:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_behavior.tmp] sourcetype = symantec:ep:behavior:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\scm_agent_act.tmp] sourcetype = symantec:ep:agent:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\scm_policy.tmp] sourcetype = symantec:ep:policy:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\scm_system.tmp] sourcetype = symantec:ep:scm_system:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_packet.tmp] sourcetype = symantec:ep:packet:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_proactive.tmp] sourcetype = symantec:ep:proactive:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_risk.tmp] sourcetype = symantec:ep:risk:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_scan.tmp] sourcetype = symantec:ep:scan:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_security.tmp] sourcetype = symantec:ep:security:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_system.tmp] sourcetype = symantec:ep:agt_system:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_traffic.tmp] sourcetype = symantec:ep:traffic:file disabled = false
- In each stanza, replace
<<path_to_temp_dump_file_directory>>with the path of your *.tmp dump files. The default directory is%SEPM_HOME%\data\dump, but your path may differ. - Save the file.
- Restart the forwarder service.
- In Splunk Web, run the following search to make sure Splunk is ingesting data:
.sourcetype = symantec:ep
Last modified on 11 September, 2018
| Configure the Symantec Endpoint Protection Manager to export your log data | Enable automatic updates to the Splunk Add-on for Symantec Endpoint Protection lookup files |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Download manual
Feedback submitted, thanks!