Supported Products: Symantec Endpoint Protection 11 & 12
This app works on Splunk 4.3.x and 5.x
For setup help or any questions, please post them to answers.splunk.com
and tag it with SplunkforSymantec.
After downloading the app and going through the set up process, you still need to install either the Symantec 11 Technology Add-on or Symantec 12 Technology Add-on. If you are currently running both products, you should install both TAs. They are included with this app in the appserver/addons directory. For single server Splunk instances, the TAs will be on the same server as the app. For distributed Splunk instances, the TAs just needs to go on the indexers and the app just goes on the search heads.
Data can be received via syslog or by monitoring the SEP log files on the SEP Manager. To receive data over syslog, manually set the sourcetype for the associated data input to either 'sep11:log' or 'sep12:log'. To monitor the files directly, you should install a Splunk Universal Forwarder on your management console. You'll need to set the log file location in the inputs.conf file and enable the associated file inputs. An example inputs.conf file is provided for you in the apps default directory. It's called inputs.conf.local. The default path in inputs.conf assumes that the SEP Manager is installed in C:\Program Files\Symantec\Symantec Endpoint Protection Manager. Edit this path to the actual location of the SEP Manager if necessary.
Updated support information
Fixed bug in transform.conf that caused field extractions not to work when indexer and search head are separate systems.
Fixed a bug in sep11 agent logs. Used a more consistent vocabulary across the app.
1.0 Release of the Splunk for Symantec app
Fixed bug in TAs where sourcetypes for traffic was mislabeled as behavior
Support for SEP 12
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.