Splunk Cloud

Symantec email security.cloud to Splunk Cloud

cnuguri_ncc
Explorer

Hello,

I am looking to onboard Symantec email security.cloud  data to Splunk cloud, but the add-on seems not compatible/available on Splunk Cloud ( https://splunkbase.splunk.com/app/3830/ ), could someone please advise if there is another way ? 

I suppose using an on-prem HF for the add-on and forward data Splunk could work, although trying to avoid on-prem components if it is possible to onboard directly from IDM.

Thanks in advance.
Chaith

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The standard practice for onboarding data when a TA cannot be installed in Splunk Cloud is to use an on-prem heavy forwarder.

---
If this reply helps you, an upvote would be appreciated.

cnuguri_ncc
Explorer

Thanks @richgalloway 👍

I was hoping to hear that Symantec supports HEC or another way of forwarding logs, before taking the on-prem HF route. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

AFAIK, Symantec does not support HEC, but you could write your own program/script that reads Symantec data and converts it to HEC.

---
If this reply helps you, an upvote would be appreciated.