All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Symantec12 APP

calbree
New Member
‎12-22-2014 08:23 PM

Hi,
I am a little confused on the installation instructions for the Splunk app for Symantec. I am trying to forward the logs using a universal forwarder installed on the SEP console. I wish to use the monitor option versus syslog. The steps indicate the APP and TA are installed on the indexer, but I feel this should be installed on the universal forwarder to monitor the SEP directories. If the TA is installed on the indexer, what needs to be configured on the universal forwarder?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

o_calmels
Communicator
‎01-06-2015 01:08 AM

Hi, on your SEPM server, install the universal forwarder
On this install,
Configure the file SplunkUniversalForwarder\etc\system\local to send data to your indexer(s) Mine look like this:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.20:9997,192.168.1.21:9997

[tcpout-server://192.168.1.20:9997]
[tcpout-server://192.168.1.21:9997]

Then, for the Symantec part:

  1. Copy the TA Under
    $InstallPath\SplunkUniversalForwarder\etc\apps\TA-sepapp12

  2. Rename the file TA-sepapp12\defaukt\inputs.conf.local to inputs.conf Modify

  3. Then, modify your new inputs.conf to fit to your log directory on your SEPM files upon each monitor block (default directory in SEP12 for files is Symantec Endpoint Protection Manager\data\dump) Mine looks like this (be carefull of the index name, it must be the same that you define in the app configuration):

    A default listener

    [udp:516]

    sourcetype=sep

    Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything

    searchable with sourectype of sep is an error

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
    sourcetype = sep12:admin
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp]
    sourcetype = sep12:behavior
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_agent_act.tmp]
    sourcetype = sep12:agt_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_policy.tmp]
    sourcetype = sep12:policy
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_system.tmp]
    sourcetype = sep12:system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_packet.tmp]

    source = agt_packet.tmp

    sourcetype = sep12:packet

    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_proactive.tmp]
    sourcetype = sep12:proactive
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_risk.tmp]
    sourcetype = sep12:risk
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
    sourcetype = sep12:scan
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
    sourcetype = sep12:ids
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_system.tmp]
    sourcetype = sep12:scm_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_traffic.tmp]
    sourcetype = sep12:traffic
    index=symantec

Cheers.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

calbree
New Member
‎01-11-2015 04:47 PM

Thank you for your response. I initially thought the issue was syntax related since our SEP dump folder is in the program files x86 directory. However, a closer look revealed the files within the dump folder are all old. I will work with our Symantec admin to figure out why. In the meantime, I'll may look to using syslog.

0 Karma
Reply
Solved! Jump to solution
Solution

o_calmels
Communicator
‎01-06-2015 01:08 AM

Hi, on your SEPM server, install the universal forwarder
On this install,
Configure the file SplunkUniversalForwarder\etc\system\local to send data to your indexer(s) Mine look like this:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.20:9997,192.168.1.21:9997

[tcpout-server://192.168.1.20:9997]
[tcpout-server://192.168.1.21:9997]

Then, for the Symantec part:

  1. Copy the TA Under
    $InstallPath\SplunkUniversalForwarder\etc\apps\TA-sepapp12

  2. Rename the file TA-sepapp12\defaukt\inputs.conf.local to inputs.conf Modify

  3. Then, modify your new inputs.conf to fit to your log directory on your SEPM files upon each monitor block (default directory in SEP12 for files is Symantec Endpoint Protection Manager\data\dump) Mine looks like this (be carefull of the index name, it must be the same that you define in the app configuration):

    A default listener

    [udp:516]

    sourcetype=sep

    Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything

    searchable with sourectype of sep is an error

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
    sourcetype = sep12:admin
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp]
    sourcetype = sep12:behavior
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_agent_act.tmp]
    sourcetype = sep12:agt_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_policy.tmp]
    sourcetype = sep12:policy
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_system.tmp]
    sourcetype = sep12:system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_packet.tmp]

    source = agt_packet.tmp

    sourcetype = sep12:packet

    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_proactive.tmp]
    sourcetype = sep12:proactive
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_risk.tmp]
    sourcetype = sep12:risk
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
    sourcetype = sep12:scan
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
    sourcetype = sep12:ids
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_system.tmp]
    sourcetype = sep12:scm_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_traffic.tmp]
    sourcetype = sep12:traffic
    index=symantec

Cheers.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...