All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Symantec12 APP

calbree
New Member
‎12-22-2014 08:23 PM

Hi,
I am a little confused on the installation instructions for the Splunk app for Symantec. I am trying to forward the logs using a universal forwarder installed on the SEP console. I wish to use the monitor option versus syslog. The steps indicate the APP and TA are installed on the indexer, but I feel this should be installed on the universal forwarder to monitor the SEP directories. If the TA is installed on the indexer, what needs to be configured on the universal forwarder?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

o_calmels
Communicator
‎01-06-2015 01:08 AM

Hi, on your SEPM server, install the universal forwarder
On this install,
Configure the file SplunkUniversalForwarder\etc\system\local to send data to your indexer(s) Mine look like this:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.20:9997,192.168.1.21:9997

[tcpout-server://192.168.1.20:9997]
[tcpout-server://192.168.1.21:9997]

Then, for the Symantec part:

  1. Copy the TA Under
    $InstallPath\SplunkUniversalForwarder\etc\apps\TA-sepapp12

  2. Rename the file TA-sepapp12\defaukt\inputs.conf.local to inputs.conf Modify

  3. Then, modify your new inputs.conf to fit to your log directory on your SEPM files upon each monitor block (default directory in SEP12 for files is Symantec Endpoint Protection Manager\data\dump) Mine looks like this (be carefull of the index name, it must be the same that you define in the app configuration):

    A default listener

    [udp:516]

    sourcetype=sep

    Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything

    searchable with sourectype of sep is an error

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
    sourcetype = sep12:admin
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp]
    sourcetype = sep12:behavior
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_agent_act.tmp]
    sourcetype = sep12:agt_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_policy.tmp]
    sourcetype = sep12:policy
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_system.tmp]
    sourcetype = sep12:system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_packet.tmp]

    source = agt_packet.tmp

    sourcetype = sep12:packet

    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_proactive.tmp]
    sourcetype = sep12:proactive
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_risk.tmp]
    sourcetype = sep12:risk
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
    sourcetype = sep12:scan
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
    sourcetype = sep12:ids
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_system.tmp]
    sourcetype = sep12:scm_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_traffic.tmp]
    sourcetype = sep12:traffic
    index=symantec

Cheers.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

calbree
New Member
‎01-11-2015 04:47 PM

Thank you for your response. I initially thought the issue was syntax related since our SEP dump folder is in the program files x86 directory. However, a closer look revealed the files within the dump folder are all old. I will work with our Symantec admin to figure out why. In the meantime, I'll may look to using syslog.

0 Karma
Reply
Solved! Jump to solution
Solution

o_calmels
Communicator
‎01-06-2015 01:08 AM

Hi, on your SEPM server, install the universal forwarder
On this install,
Configure the file SplunkUniversalForwarder\etc\system\local to send data to your indexer(s) Mine look like this:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.20:9997,192.168.1.21:9997

[tcpout-server://192.168.1.20:9997]
[tcpout-server://192.168.1.21:9997]

Then, for the Symantec part:

  1. Copy the TA Under
    $InstallPath\SplunkUniversalForwarder\etc\apps\TA-sepapp12

  2. Rename the file TA-sepapp12\defaukt\inputs.conf.local to inputs.conf Modify

  3. Then, modify your new inputs.conf to fit to your log directory on your SEPM files upon each monitor block (default directory in SEP12 for files is Symantec Endpoint Protection Manager\data\dump) Mine looks like this (be carefull of the index name, it must be the same that you define in the app configuration):

    A default listener

    [udp:516]

    sourcetype=sep

    Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything

    searchable with sourectype of sep is an error

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
    sourcetype = sep12:admin
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp]
    sourcetype = sep12:behavior
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_agent_act.tmp]
    sourcetype = sep12:agt_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_policy.tmp]
    sourcetype = sep12:policy
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_system.tmp]
    sourcetype = sep12:system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_packet.tmp]

    source = agt_packet.tmp

    sourcetype = sep12:packet

    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_proactive.tmp]
    sourcetype = sep12:proactive
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_risk.tmp]
    sourcetype = sep12:risk
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
    sourcetype = sep12:scan
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
    sourcetype = sep12:ids
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_system.tmp]
    sourcetype = sep12:scm_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_traffic.tmp]
    sourcetype = sep12:traffic
    index=symantec

Cheers.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...