Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise.
For documentation on the most recent version, go to the latest release.
Configure monitor inputs for the Splunk Add-on for Symantec Endpoint Protection
The Splunk Add-on for Symantec Endpoint Protection monitors local dump files produced by your Symantec Endpoint Manager.
To configure this input, install a universal forwarder on the machine running Symantec Endpoint Manager. You must also know the path to your Symantec Endpoint Manager dump files.
You can configure monitor inputs using configuration files.
Configure monitor inputs using configuration files
- On your Symantec Endpoint Protection host, open or create the
%SPLUNK_HOME%\etc\apps\Splunk_TA_symantec-ep\local\inputs.conffile. - Without deleting anything that is already in the file, paste the following stanzas at the end of the file:
[monitor://<<path_to_temp_dump_file_directory>>\scm_admin.tmp] sourcetype = symantec:ep:admin:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_behavior.tmp] sourcetype = symantec:ep:behavior:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\scm_agent_act.tmp] sourcetype = symantec:ep:agent:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\scm_policy.tmp] sourcetype = symantec:ep:policy:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\scm_system.tmp] sourcetype = symantec:ep:scm_system:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_packet.tmp] sourcetype = symantec:ep:packet:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_proactive.tmp] sourcetype = symantec:ep:proactive:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_risk.tmp] sourcetype = symantec:ep:risk:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_scan.tmp] sourcetype = symantec:ep:scan:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_security.tmp] sourcetype = symantec:ep:security:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_system.tmp] sourcetype = symantec:ep:agt_system:file disabled = false [monitor://<<path_to_temp_dump_file_directory>>\agt_traffic.tmp] sourcetype = symantec:ep:traffic:file disabled = false
- In each stanza, replace
<<path_to_temp_dump_file_directory>>with the path for your *.tmp dump files. The default directory is%SEPM_HOME%\data\dump, but your path may differ. - Save the file.
- Restart your forwarder services.
Last modified on 01 October, 2018
| Enable automatic updates to the Splunk Add-on for Symantec Endpoint Protection lookup files | Verify your SEP data |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Download manual
Feedback submitted, thanks!