Splunk® Enterprise

Add Symantec Endpoint Protection data: Single instance

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Install the Splunk universal forwarder on your Symantec Endpoint Protection host

To forward your data into your Splunk Enterprise deployment, install the Splunk universal forwarder on your Symantec Endpoint Protection host.

Install the universal forwarder on Windows

Install the universal forwarder on Windows as follows:

  • Install the universal forwarder in \Program Files\SplunkUniversalForwarder on the system drive, which is the drive that boots your Windows host.
  • Install the universal forwarder with the default management port of TCP/8089.
  • Configure the universal forwarder to run as the Local System user.
  • Create a Splunk administrator password.
  • Enable the Application, System, and Security Windows Event Log data inputs.

Install the forwarder on Windows with the default options

  1. Download the universal forwarder from splunk.com.
  2. Double-click the MSI file to start the installation.
  3. To view the license agreement, click the View License Agreement button.
  4. Select the Check this box to accept the License Agreement check box.
  5. To change any of the default installation settings, click the Customize Options button. Otherwise, click Install to install the software with the defaults.

    Perform at least one of the following two steps. Otherwise, the universal forwarder cannot send data anywhere:

  6. (Optional) In the Deployment Server pane, enter a host name or IP address and management port for the deployment server that you want the universal forwarder to connect to, and click Next.
  7. (Optional) In the Receiving Indexer pane, enter a host name or IP address and the receiving port for the receiving indexer that you want the universal forwarder to send data to, and click Next.
  8. Click Install to proceed. The installer runs and displays the Installation Completed dialog. The universal forwarder starts automatically.
  9. From the Control Panel, confirm that the SplunkForwarder service runs.

Install with customized options

When you chose to customize options in the universal forwarder setup dialog box, the installer presents you with the following options:

  1. (Optional) Click Change to specify a different installation directory.
  2. (Optional) Select an SSL certificate to verify the identity of this machine. Depending on your certificate requirements, you might need to specify a password and a Root Certificate Authority (CA) certificate to verify the identity of the certificate. Otherwise, leave these fields blank.
  3. Select the Local System or Domain Account check box and click Next. If you specify Local System, the installer displays the Enable Windows Inputs dialog box. If you specify Domain Account, the installer displays a second dialog box where you enter your domain and user information.
  4. If you selected Domain Account, the installer displays a dialog box with user name and password credentials. Enter the user name and password into the User name and Password fields. Specify the user name in domain\username format only.
  5. Enter the password again in the Confirm password field.
  6. To add the domain user you specified to the local Administrators group, select Add user as local administrator and click Next. The installer adds the domain user you specified to the local Administrators group.
  7. (Optional) Select one or more Windows inputs from the list and click Next.
  8. Create a password for the Splunk admin user and click Next.
  9. (Optional) Enter the hostname or IP address and management port for your deployment server and click Next.
  10. (Optional) Enter the hostname or IP address and receiving port and click Next.
  11. Click Install.

Considerations for enabling data inputs in the installer

If you enable data inputs in the Enable Inputs dialog box when installing the universal forwarder, the installer also installs the Splunk Add-on for Windows. It saves the configuration that enables those inputs into the add-on. This configuration includes index definitions.

This means that the receiving indexer that this forwarder sends data to must already have the following indexes defined:

  • perfmon for Performance Monitoring inputs.
  • windows for generic Windows inputs.
  • wineventlog for Windows Event Log inputs.

By default, indexers do not have these indexes defined. Either define the indexes before performing a universal forwarder installation, or install the Splunk Add-on for Windows onto the indexer.

Information on Windows third-party binaries that ship with the universal forwarder

For information on third-party Windows binaries provided with the Windows version of the universal forwarder, see the Information on Windows third-party binaries distributed with Splunk Enterprise topic in the Splunk Enterprise Installation Manual.

Install a universal forwarder with Linux

To install a universal forwarder and connect it to your Splunk platform deployment using Linux, perform the following steps:

  1. Download the Splunk universal forwarder for Linux.
  2. Install the universal forwarder.
  3. Start the universal forwarder.
  4. Configure the universal forwarder.
  5. Enable forwarder management in Splunk Web.

Download the universal forwarder

  1. Download the Splunk universal forwarder.
  2. Choose the platform installation package that applies to your operating system.
  3. Click Download Now.
  4. Read and agree to the Splunk Software License Agreement.
  5. Click Start Your Download Now.
  6. Move the downloaded package to the directory where you want to install the universal forwarder.

Install the universal forwarder

Install the universal forwarder on the computer that contains or has access to the data that you want to collect and forward to your Splunk Enterprise instance. To install the universal forwarder on a different computer, copy the universal forwarder package file to that machine before you perform this task. The universal forwarder installs by default in the splunkforwarder directory.

To install in a specific directory, either change directories to where you want to install the forwarder, or place the tar file in that directory before you run the tar command.

  • To expand the tar file into an appropriate directory using the tar command. The default installation location is under splunk in the current working directory:
tar xvzf splunkforwarder-<…>-Linux-x86_64.tgz
  • To install into /opt/splunkforwarder, run the following command:
tar xvzf splunkforwarder-<…>-Linux-x86_64.tgz -C /opt

Start the universal forwarder

Start the universal forwarder so that it can take configurations and forward data.

  1. Start the universal forwarder:
    cd $SPLUNK_HOME/bin ./splunk start

    When you start the forwarder for the first time, it prompts you to create an admin password:

    This appears to be your first time running this version of Splunk.
    An Admin password must be set before installation proceeds.
    Password must contain at least:
    * 8 total printable ASCII character(s).
    Please enter a new password:
  2. The forwarder presents the license agreement. To accept the license agreement without reviewing it, run the following command:
    cd $SPLUNK_HOME/bin ./splunk start --accept-license
  3. To confirm the forwarder is running, run a status command:
    $SPLUNK_HOME/bin ./splunk status
  4. Restart the universal forwarder:
    cd $SPLUNK_HOME/bin ./splunk restart

Configure the universal forwarder to connect to the receiving port

From a shell or command prompt on the forwarder, run the following command:

./splunk add forward-server <host name or ip address>:<listening port>

For example, to connect to a receiver with the hostname idx.mycompany.com and with that host listening on port 9997 for forwarders, type this command:

./splunk add forward-server idx1.mycompany.com:9997
Last modified on 24 August, 2020
Enable your Splunk platform to receive data
Configure the Symantec Endpoint Protection Manager to export your log data

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters