Hi,
I am a little confused on the installation instructions for the Splunk app for Symantec. I am trying to forward the logs using a universal forwarder installed on the SEP console. I wish to use the monitor option versus syslog. The steps indicate the APP and TA are installed on the indexer, but I feel this should be installed on the universal forwarder to monitor the SEP directories. If the TA is installed on the indexer, what needs to be configured on the universal forwarder?
Hi, on your SEPM server, install the universal forwarder
On this install,
Configure the file SplunkUniversalForwarder\etc\system\local to send data to your indexer(s) Mine look like this:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.1.20:9997,192.168.1.21:9997
[tcpout-server://192.168.1.20:9997]
[tcpout-server://192.168.1.21:9997]
Then, for the Symantec part:
Copy the TA Under
$InstallPath\SplunkUniversalForwarder\etc\apps\TA-sepapp12
Rename the file TA-sepapp12\defaukt\inputs.conf.local to inputs.conf Modify
Then, modify your new inputs.conf to fit to your log directory on your SEPM files upon each monitor block (default directory in SEP12 for files is Symantec Endpoint Protection Manager\data\dump) Mine looks like this (be carefull of the index name, it must be the same that you define in the app configuration):
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
sourcetype = sep12:admin
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp]
sourcetype = sep12:behavior
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_agent_act.tmp]
sourcetype = sep12:agt_system
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_policy.tmp]
sourcetype = sep12:policy
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_system.tmp]
sourcetype = sep12:system
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_proactive.tmp]
sourcetype = sep12:proactive
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_risk.tmp]
sourcetype = sep12:risk
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
sourcetype = sep12:scan
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
sourcetype = sep12:ids
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_system.tmp]
sourcetype = sep12:scm_system
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_traffic.tmp]
sourcetype = sep12:traffic
index=symantec
Cheers.
Thank you for your response. I initially thought the issue was syntax related since our SEP dump folder is in the program files x86 directory. However, a closer look revealed the files within the dump folder are all old. I will work with our Symantec admin to figure out why. In the meantime, I'll may look to using syslog.
Hi, on your SEPM server, install the universal forwarder
On this install,
Configure the file SplunkUniversalForwarder\etc\system\local to send data to your indexer(s) Mine look like this:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.1.20:9997,192.168.1.21:9997
[tcpout-server://192.168.1.20:9997]
[tcpout-server://192.168.1.21:9997]
Then, for the Symantec part:
Copy the TA Under
$InstallPath\SplunkUniversalForwarder\etc\apps\TA-sepapp12
Rename the file TA-sepapp12\defaukt\inputs.conf.local to inputs.conf Modify
Then, modify your new inputs.conf to fit to your log directory on your SEPM files upon each monitor block (default directory in SEP12 for files is Symantec Endpoint Protection Manager\data\dump) Mine looks like this (be carefull of the index name, it must be the same that you define in the app configuration):
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
sourcetype = sep12:admin
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp]
sourcetype = sep12:behavior
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_agent_act.tmp]
sourcetype = sep12:agt_system
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_policy.tmp]
sourcetype = sep12:policy
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_system.tmp]
sourcetype = sep12:system
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_proactive.tmp]
sourcetype = sep12:proactive
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_risk.tmp]
sourcetype = sep12:risk
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
sourcetype = sep12:scan
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
sourcetype = sep12:ids
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_system.tmp]
sourcetype = sep12:scm_system
index=symantec
[monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_traffic.tmp]
sourcetype = sep12:traffic
index=symantec
Cheers.