Splunk Search

how to retrive data from symantec end point protection

johnbenayun
New Member

Hi,

Does any one know how to get data from symantec endpoint protection server, so the "Symantec Endpoint Protection Reporting" app will work?

Best regards & Thanks, John.

Tags (1)
0 Karma

imarks004
Path Finder

From the SEP management console, click on Admin, then select Local Site. You should then see an option for Configure External Logging. From the Configure External Logging option you should be able specify a syslog server or send directly to your Splunk server.

Brian_Osburn
Builder

Did you set it up to send it to the splunk machine itself or just a flat file?

I found it easier to set up Splunk to listen on a port (I used 42096) and configure Symantec to talk to the server (in my case, plsplunk01:42096).

Brian

0 Karma

johnbenayun
New Member

great that worked now files are created ,
now i need to get splunk to read them (they are not on the same machine),
Any one?

0 Karma

o_calmels
Communicator

Hi, you ve got two solutions :
- Tell SEPM to send logs to syslog server, this server being your splunk instance (be carefull if your instance is distributed and you are using universal forwarder, the sourtype association will no work properly because universal forwarder doesn't modify any data, it just forward to indexers.)
- So the second solution is to install a universal fowarder on your SEPM server directly, install the Splunk For Symantec TA on it and configure the props.conf to match each file created by SEPM.

.
Cheers,
Olivier

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...