Getting Data In

Symantec 14.0 and Splunk 7.0.0 (splunkd) not playing well together

aoleske
Path Finder

Good afternoon,
I have a problem with Symantec 14.0 and splunk 7 Universal Forwarder not playing well together. Whenever the forwarder is running, Symantic use goes to 99% for every 10 seconds out of 60. This has killed our performance on the production servers. Let me know what information you might need and I can post it. Thank you!

0 Karma
1 Solution

MuS
Legend

Hi aoleske,

please read the docs about Splunk Enterprise and anti-virus products http://docs.splunk.com/Documentation/Splunk/7.0.0/ReleaseNotes/RunningSplunkalongsideWindowsantiviru... and the recommendations in it.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
Legend

Hi aoleske,

please read the docs about Splunk Enterprise and anti-virus products http://docs.splunk.com/Documentation/Splunk/7.0.0/ReleaseNotes/RunningSplunkalongsideWindowsantiviru... and the recommendations in it.

Hope this helps ...

cheers, MuS

0 Karma

aoleske
Path Finder

I forgot to come back and accept the answer. Thanks for the reminder! 🙂 this took care of the issue.
We are seeing the issue with Splunk 6.X and 7.X where we are running Symantec 14.X. We are not seeing the issue where we are running Symantec 12.X, but your mileage may vary. After reading the doc MuS pointed us to, we made an exception for the $SPLUNK_HOME dir in Symantec and the CPU load has returned to normal. Thanks MuS!

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @aoleske, if this answered your question, please remember to "√Accept" the answer to award karma points and to let other Splunkers know it’s a golden answer. We’re hosting a karma point contest, so it’s particularly awesome to up vote on the forum these days. 😄

0 Karma

aoleske
Path Finder

we are seeing these symptoms on servers with no add-ons and only the splunk internal logs being collected. This is a basic install of the UF with only defaults used (Except for defining our splunk server name). We are using the default ports of 9997 and 8089. We are running as local system. The deployment server sees the client, and we are collecting splunk internal logs, so all appears to be running correctly.

0 Karma

aoleske
Path Finder

This is Symantec End Point Protection, not the add-on.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...