Configure monitor inputs for the Splunk Add-on for Symantec Endpoint Protection
The Splunk Add-on for Symantec Endpoint Protection monitors local dump files produced by your Symantec Endpoint Manager. Use the deployment server to configure inputs on your deployment's forwarders.
To configure this input, install a universal forwarder on the machine running Symantec Endpoint Manager. You must also know the path to your Symantec Endpoint Manager dump files.
You can configure monitor inputs using configuration files or by using Splunk Web.
Configure monitor inputs using Splunk Web
- On your data collection node, go to Settings > Data inputs > Files & directories.
- Click New.
- Click Browse and navigate to the first of the log files you want to monitor. See Source types for the Splunk Add-on for Symantec Endpoint Protection for a full list of log files.
- Click Next.
- On the Input Settings page, next to Source type, click Select.
- In the Select Source Type drop down menu, select the Network & Security category, and then select the corresponding source type for this log file.
- Click Review to review your input configuration.
- Click Submit.
- Repeat the above steps for each additional dump files that you want to monitor.
- Run the following search to check that you are ingesting the data that you expect:
sourcetype = symantec:ep
| Configure the Symantec Endpoint Protection Manager to export your log data | Enable automatic updates to the Splunk Add-on for Symantec Endpoint Protection lookup files |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Download manual
Feedback submitted, thanks!