Skip to content

Upgrade the Splunk Add-on for Symantec Endpoint Protection to 3.1.0 or later

  1. Disable your existing SEP 3.0.1 inputs.
  2. Upgrade the Symantec EP 3.0.1 to Symantec EP 3.1.0 or later.

  3. if you have configured TA-Symantec-EP-Syslog and Symantec EP 3.0.1 TAs in the same environment:

    a. Disable TA-Symantec-EP-Syslog TA.

    b. Stop the Splunk instance.

    c. Copy your disabled input stanzas from $SPLUNK_HOME/etc/apps/TA-Symantec-EP-Syslog/local/inputs.conf into $SPLUNK_HOME/etc/apps/Splunk_TA_symantec-ep/local/inputs.conf.

  4. Remove malware input of Symantec-EP TA from $SPLUNK_HOME/etc/apps/Splunk_TA_symantec-ep/local/inputs.conf.

  5. Enable your inputs.

The Splunk Add-on for Symantec Endpoint Protection is intended to replace TA-sep and TA-sav, currently packaged as a part of Splunk Enterprise Security. No migration activity is required, as the new add-on can run side-by-side with the older add-ons. The older add-ons are still required in order to parse stored data from unsupported versions of Symantec Antivirus and Endpoint Protection.