All Apps and Add-ons

Symantec12 APP

calbree
New Member

Hi,
I am a little confused on the installation instructions for the Splunk app for Symantec. I am trying to forward the logs using a universal forwarder installed on the SEP console. I wish to use the monitor option versus syslog. The steps indicate the APP and TA are installed on the indexer, but I feel this should be installed on the universal forwarder to monitor the SEP directories. If the TA is installed on the indexer, what needs to be configured on the universal forwarder?

Tags (1)
0 Karma
1 Solution

o_calmels
Communicator

Hi, on your SEPM server, install the universal forwarder
On this install,
Configure the file SplunkUniversalForwarder\etc\system\local to send data to your indexer(s) Mine look like this:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.20:9997,192.168.1.21:9997

[tcpout-server://192.168.1.20:9997]
[tcpout-server://192.168.1.21:9997]

Then, for the Symantec part:

  1. Copy the TA Under
    $InstallPath\SplunkUniversalForwarder\etc\apps\TA-sepapp12

  2. Rename the file TA-sepapp12\defaukt\inputs.conf.local to inputs.conf Modify

  3. Then, modify your new inputs.conf to fit to your log directory on your SEPM files upon each monitor block (default directory in SEP12 for files is Symantec Endpoint Protection Manager\data\dump) Mine looks like this (be carefull of the index name, it must be the same that you define in the app configuration):

    A default listener

    [udp:516]

    sourcetype=sep

    Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything

    searchable with sourectype of sep is an error

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
    sourcetype = sep12:admin
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp]
    sourcetype = sep12:behavior
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_agent_act.tmp]
    sourcetype = sep12:agt_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_policy.tmp]
    sourcetype = sep12:policy
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_system.tmp]
    sourcetype = sep12:system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_packet.tmp]

    source = agt_packet.tmp

    sourcetype = sep12:packet

    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_proactive.tmp]
    sourcetype = sep12:proactive
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_risk.tmp]
    sourcetype = sep12:risk
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
    sourcetype = sep12:scan
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
    sourcetype = sep12:ids
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_system.tmp]
    sourcetype = sep12:scm_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_traffic.tmp]
    sourcetype = sep12:traffic
    index=symantec

Cheers.

View solution in original post

0 Karma

calbree
New Member

Thank you for your response. I initially thought the issue was syntax related since our SEP dump folder is in the program files x86 directory. However, a closer look revealed the files within the dump folder are all old. I will work with our Symantec admin to figure out why. In the meantime, I'll may look to using syslog.

0 Karma

o_calmels
Communicator

Hi, on your SEPM server, install the universal forwarder
On this install,
Configure the file SplunkUniversalForwarder\etc\system\local to send data to your indexer(s) Mine look like this:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.20:9997,192.168.1.21:9997

[tcpout-server://192.168.1.20:9997]
[tcpout-server://192.168.1.21:9997]

Then, for the Symantec part:

  1. Copy the TA Under
    $InstallPath\SplunkUniversalForwarder\etc\apps\TA-sepapp12

  2. Rename the file TA-sepapp12\defaukt\inputs.conf.local to inputs.conf Modify

  3. Then, modify your new inputs.conf to fit to your log directory on your SEPM files upon each monitor block (default directory in SEP12 for files is Symantec Endpoint Protection Manager\data\dump) Mine looks like this (be carefull of the index name, it must be the same that you define in the app configuration):

    A default listener

    [udp:516]

    sourcetype=sep

    Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything

    searchable with sourectype of sep is an error

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
    sourcetype = sep12:admin
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp]
    sourcetype = sep12:behavior
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_agent_act.tmp]
    sourcetype = sep12:agt_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_policy.tmp]
    sourcetype = sep12:policy
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_system.tmp]
    sourcetype = sep12:system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_packet.tmp]

    source = agt_packet.tmp

    sourcetype = sep12:packet

    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_proactive.tmp]
    sourcetype = sep12:proactive
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_risk.tmp]
    sourcetype = sep12:risk
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
    sourcetype = sep12:scan
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
    sourcetype = sep12:ids
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_system.tmp]
    sourcetype = sep12:scm_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_traffic.tmp]
    sourcetype = sep12:traffic
    index=symantec

Cheers.

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!