The Splunk Add-on for Symantec Endpoint Protection (SEP) allows a Splunk platform administrator to collect data from Symantec Endpoint Protection Manager (SEPM) external logging dump files agt_security.log and agt_risk.log. After the events are indexed, the data can be consumed using Splunk's pre-built dashboard panels, which are included with the add-on. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk Enterprise apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.
After an upgrade to SEPM 14.2 RU1 (14.2.3332.1000), the Splunk Add-on for Symantec Endpoint Protection misindexes the dump files..
In 14.2 RU1, the external logging of agt_risk.log and agt_security.log was restructured:
This change is by design. Please check with the vendor for instructions on performing these modifications.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.