All Apps and Add-ons

Symantec12 APP

calbree
New Member

Hi,
I am a little confused on the installation instructions for the Splunk app for Symantec. I am trying to forward the logs using a universal forwarder installed on the SEP console. I wish to use the monitor option versus syslog. The steps indicate the APP and TA are installed on the indexer, but I feel this should be installed on the universal forwarder to monitor the SEP directories. If the TA is installed on the indexer, what needs to be configured on the universal forwarder?

Tags (1)
0 Karma
1 Solution

o_calmels
Communicator

Hi, on your SEPM server, install the universal forwarder
On this install,
Configure the file SplunkUniversalForwarder\etc\system\local to send data to your indexer(s) Mine look like this:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.20:9997,192.168.1.21:9997

[tcpout-server://192.168.1.20:9997]
[tcpout-server://192.168.1.21:9997]

Then, for the Symantec part:

  1. Copy the TA Under
    $InstallPath\SplunkUniversalForwarder\etc\apps\TA-sepapp12

  2. Rename the file TA-sepapp12\defaukt\inputs.conf.local to inputs.conf Modify

  3. Then, modify your new inputs.conf to fit to your log directory on your SEPM files upon each monitor block (default directory in SEP12 for files is Symantec Endpoint Protection Manager\data\dump) Mine looks like this (be carefull of the index name, it must be the same that you define in the app configuration):

    A default listener

    [udp:516]

    sourcetype=sep

    Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything

    searchable with sourectype of sep is an error

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
    sourcetype = sep12:admin
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp]
    sourcetype = sep12:behavior
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_agent_act.tmp]
    sourcetype = sep12:agt_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_policy.tmp]
    sourcetype = sep12:policy
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_system.tmp]
    sourcetype = sep12:system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_packet.tmp]

    source = agt_packet.tmp

    sourcetype = sep12:packet

    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_proactive.tmp]
    sourcetype = sep12:proactive
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_risk.tmp]
    sourcetype = sep12:risk
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
    sourcetype = sep12:scan
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
    sourcetype = sep12:ids
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_system.tmp]
    sourcetype = sep12:scm_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_traffic.tmp]
    sourcetype = sep12:traffic
    index=symantec

Cheers.

View solution in original post

0 Karma

calbree
New Member

Thank you for your response. I initially thought the issue was syntax related since our SEP dump folder is in the program files x86 directory. However, a closer look revealed the files within the dump folder are all old. I will work with our Symantec admin to figure out why. In the meantime, I'll may look to using syslog.

0 Karma

o_calmels
Communicator

Hi, on your SEPM server, install the universal forwarder
On this install,
Configure the file SplunkUniversalForwarder\etc\system\local to send data to your indexer(s) Mine look like this:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.20:9997,192.168.1.21:9997

[tcpout-server://192.168.1.20:9997]
[tcpout-server://192.168.1.21:9997]

Then, for the Symantec part:

  1. Copy the TA Under
    $InstallPath\SplunkUniversalForwarder\etc\apps\TA-sepapp12

  2. Rename the file TA-sepapp12\defaukt\inputs.conf.local to inputs.conf Modify

  3. Then, modify your new inputs.conf to fit to your log directory on your SEPM files upon each monitor block (default directory in SEP12 for files is Symantec Endpoint Protection Manager\data\dump) Mine looks like this (be carefull of the index name, it must be the same that you define in the app configuration):

    A default listener

    [udp:516]

    sourcetype=sep

    Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything

    searchable with sourectype of sep is an error

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
    sourcetype = sep12:admin
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_behavior.tmp]
    sourcetype = sep12:behavior
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_agent_act.tmp]
    sourcetype = sep12:agt_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_policy.tmp]
    sourcetype = sep12:policy
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\scm_system.tmp]
    sourcetype = sep12:system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_packet.tmp]

    source = agt_packet.tmp

    sourcetype = sep12:packet

    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_proactive.tmp]
    sourcetype = sep12:proactive
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_risk.tmp]
    sourcetype = sep12:risk
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_scan.tmp]
    sourcetype = sep12:scan
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_security.tmp]
    sourcetype = sep12:ids
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_system.tmp]
    sourcetype = sep12:scm_system
    index=symantec

    [monitor://D:\Symantec Endpoint Protection Manager\data\dump\agt_traffic.tmp]
    sourcetype = sep12:traffic
    index=symantec

Cheers.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...