Splunk® Enterprise

Add Symantec Endpoint Protection data: Single instance

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure monitor inputs for the Splunk Add-on for Symantec Endpoint Protection

The Splunk Add-on for Symantec Endpoint Protection monitors local dump files produced by your Symantec Endpoint Manager.

To configure this input, install a universal forwarder on the machine running Symantec Endpoint Manager. You must also know the path to your Symantec Endpoint Manager dump files.

You can configure monitor inputs using configuration files.

Configure monitor inputs using configuration files

  1. On your Symantec Endpoint Protection host, open or create the %SPLUNK_HOME%\etc\apps\Splunk_TA_symantec-ep\local\inputs.conf file.
  2. Without deleting anything that is already in the file, paste the following stanzas at the end of the file:
    [monitor://<<path_to_temp_dump_file_directory>>\scm_admin.tmp]
    sourcetype = symantec:ep:admin:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_behavior.tmp]
    sourcetype = symantec:ep:behavior:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_agent_act.tmp]
    sourcetype = symantec:ep:agent:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_policy.tmp]
    sourcetype = symantec:ep:policy:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_system.tmp]
    sourcetype = symantec:ep:scm_system:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_packet.tmp]
    sourcetype = symantec:ep:packet:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_proactive.tmp]
    sourcetype = symantec:ep:proactive:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_risk.tmp]
    sourcetype = symantec:ep:risk:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_scan.tmp]
    sourcetype = symantec:ep:scan:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_security.tmp]
    sourcetype = symantec:ep:security:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_system.tmp]
    sourcetype = symantec:ep:agt_system:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_traffic.tmp]
    sourcetype = symantec:ep:traffic:file
    disabled = false
    
  3. In each stanza, replace <<path_to_temp_dump_file_directory>> with the path for your *.tmp dump files. The default directory is %SEPM_HOME%\data\dump, but your path may differ.
  4. Save the file.
  5. Restart your forwarder services.
Last modified on 01 October, 2018
PREVIOUS
Enable automatic updates to the Splunk Add-on for Symantec Endpoint Protection lookup files
  NEXT
Verify your SEP data

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters