Splunk® Enterprise

Add Symantec Endpoint Protection data: Distributed deployment with indexer clustering

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Configure monitor inputs for the Splunk Add-on for Symantec Endpoint Protection

The Splunk Add-on for Symantec Endpoint Protection monitors local dump files produced by your Symantec Endpoint Manager.

To configure this input, install a universal forwarder on the machine running Symantec Endpoint Manager. You must also know the path to your Symantec Endpoint Manager dump files.

Configure monitor inputs using configuration files

  1. On your Windows host, open or create the %SPLUNK_HOME%\etc\apps\Splunk_TA_symantec-ep\local\inputs.conf file.
  2. Without deleting anything that is already in the file, paste the following stanzas at the end of the file:
    [monitor://<<path_to_temp_dump_file_directory>>\scm_admin.tmp]
    sourcetype = symantec:ep:admin:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_behavior.tmp]
    sourcetype = symantec:ep:behavior:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_agent_act.tmp]
    sourcetype = symantec:ep:agent:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_policy.tmp]
    sourcetype = symantec:ep:policy:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_system.tmp]
    sourcetype = symantec:ep:scm_system:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_packet.tmp]
    sourcetype = symantec:ep:packet:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_proactive.tmp]
    sourcetype = symantec:ep:proactive:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_risk.tmp]
    sourcetype = symantec:ep:risk:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_scan.tmp]
    sourcetype = symantec:ep:scan:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_security.tmp]
    sourcetype = symantec:ep:security:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_system.tmp]
    sourcetype = symantec:ep:agt_system:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_traffic.tmp]
    sourcetype = symantec:ep:traffic:file
    disabled = false
    
  3. In each stanza, replace <<path_to_temp_dump_file_directory>> with the path of your *.tmp dump files. The default directory is %SEPM_HOME%\data\dump, but your path may differ.
  4. Save the file.
  5. Restart the forwarder service.
  6. In Splunk Web, run the following search to make sure Splunk is ingesting data:

    sourcetype = symantec:ep

    .
Last modified on 11 September, 2018
Configure the Symantec Endpoint Protection Manager to export your log data   Enable automatic updates to the Splunk Add-on for Symantec Endpoint Protection lookup files

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters