Splunk® Enterprise

Add Symantec Endpoint Protection data: Single instance

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Configure monitor inputs for the Splunk Add-on for Symantec Endpoint Protection

The Splunk Add-on for Symantec Endpoint Protection monitors local dump files produced by your Symantec Endpoint Manager.

To configure this input, install a universal forwarder on the machine running Symantec Endpoint Manager. You must also know the path to your Symantec Endpoint Manager dump files.

You can configure monitor inputs using configuration files.

Configure monitor inputs using configuration files

  1. On your Symantec Endpoint Protection host, open or create the %SPLUNK_HOME%\etc\apps\Splunk_TA_symantec-ep\local\inputs.conf file.
  2. Without deleting anything that is already in the file, paste the following stanzas at the end of the file:
    [monitor://<<path_to_temp_dump_file_directory>>\scm_admin.tmp]
    sourcetype = symantec:ep:admin:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_behavior.tmp]
    sourcetype = symantec:ep:behavior:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_agent_act.tmp]
    sourcetype = symantec:ep:agent:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_policy.tmp]
    sourcetype = symantec:ep:policy:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\scm_system.tmp]
    sourcetype = symantec:ep:scm_system:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_packet.tmp]
    sourcetype = symantec:ep:packet:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_proactive.tmp]
    sourcetype = symantec:ep:proactive:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_risk.tmp]
    sourcetype = symantec:ep:risk:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_scan.tmp]
    sourcetype = symantec:ep:scan:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_security.tmp]
    sourcetype = symantec:ep:security:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_system.tmp]
    sourcetype = symantec:ep:agt_system:file
    disabled = false
    
    [monitor://<<path_to_temp_dump_file_directory>>\agt_traffic.tmp]
    sourcetype = symantec:ep:traffic:file
    disabled = false
    
  3. In each stanza, replace <<path_to_temp_dump_file_directory>> with the path for your *.tmp dump files. The default directory is %SEPM_HOME%\data\dump, but your path may differ.
  4. Save the file.
  5. Restart your forwarder services.
Last modified on 01 October, 2018
PREVIOUS
Enable automatic updates to the Splunk Add-on for Symantec Endpoint Protection lookup files
  NEXT
Verify your SEP data

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters