Splunk® Enterprise

Add Symantec Endpoint Protection data: Distributed deployment with indexer clustering

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure monitor inputs for the Splunk Add-on for Symantec Endpoint Protection

The Splunk Add-on for Symantec Endpoint Protection monitors local dump files produced by your Symantec Endpoint Manager.

To configure this input, install a universal forwarder on the machine running Symantec Endpoint Manager. You must also know the path to your Symantec Endpoint Manager dump files.

Configure monitor inputs using configuration files

  1. On your Windows host, open or create the %SPLUNK_HOME%\etc\apps\Splunk_TA_symantec-ep\local\inputs.conf file.
  2. Without deleting anything that is already in the file, paste the following stanzas at the end of the file:
    [monitor://<<path_to_temp_dump_file_directory>>\scm_admin.tmp]
    sourcetype = symantec:ep:admin:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_behavior.tmp]
    sourcetype = symantec:ep:behavior:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_agent_act.tmp]
    sourcetype = symantec:ep:agent:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_policy.tmp]
    sourcetype = symantec:ep:policy:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_system.tmp]
    sourcetype = symantec:ep:scm_system:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_packet.tmp]
    sourcetype = symantec:ep:packet:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_proactive.tmp]
    sourcetype = symantec:ep:proactive:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_risk.tmp]
    sourcetype = symantec:ep:risk:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_scan.tmp]
    sourcetype = symantec:ep:scan:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_security.tmp]
    sourcetype = symantec:ep:security:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_system.tmp]
    sourcetype = symantec:ep:agt_system:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_traffic.tmp]
    sourcetype = symantec:ep:traffic:file
    disabled = false
    
  3. In each stanza, replace <<path_to_temp_dump_file_directory>> with the path of your *.tmp dump files. The default directory is %SEPM_HOME%\data\dump, but your path may differ.
  4. Save the file.
  5. Restart the forwarder service.
  6. In Splunk Web, run the following search to make sure Splunk is ingesting data:

    sourcetype = symantec:ep

    .
Last modified on 11 September, 2018
PREVIOUS
Configure the Symantec Endpoint Protection Manager to export your log data
  NEXT
Enable automatic updates to the Splunk Add-on for Symantec Endpoint Protection lookup files

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters