search cancel

Splunk Add-on for Symantec Endpoint Protection misindexes Endpoint Protection Manager 14.2 RU1 external logging


Article ID: 174684


Updated On:


Endpoint Protection


The Splunk Add-on for Symantec Endpoint Protection (SEP) allows a Splunk platform administrator to collect data from Symantec Endpoint Protection Manager (SEPM) external logging dump files agt_security.log and agt_risk.log. After the events are indexed, the data can be consumed using Splunk's pre-built dashboard panels, which are included with the add-on. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk Enterprise apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

After an upgrade to SEPM 14.2 RU1 (14.2.3332.1000), the Splunk Add-on for Symantec Endpoint Protection misindexes the dump files..


  • SEPM 14.2 RU1
  • Splunk Add-on for Symantec Endpoint Protection Version 2.3.0


In 14.2 RU1, the external logging of agt_risk.log and agt_security.log was restructured:


14.2 MP1 (14.2.1015.0100) 14.2 RU1 (14.2.3332.1000)
Time Stamp  Time Stamp
Risk Action Risk Action
IP Address IP Address
Computer name Computer name
Intensive Protection Level Source
Certificate issuer Risk name
Certificate signer Occurrences
Certificate thumbprint File Path
Signing timestamp Description
Certificate serial number Actual action
Source Requested action
Risk name Secondary action
Occurrences Event time
File Path Event Insert Time
Description End Time
Actual action Last update time
Requested action Domain Name
Secondary action Group Name
Event time Server Name
Event Insert Time User Name
End Time Source Computer Name
Last Update Time Source Computer IP
Domain Name Disposition
Group Name Download site
Server Name Web domain
User Name Downloaded by
Source Computer Name Prevalence
Source Computer IP Confidence
Disposition URL Tracking Status
Download site First Seen
Web domain Sensitivity
Downloaded by Permitted Application Reason
Prevalence Application hash
Confidence Hash type
URL Tracking Status Company name
[Extra Blank column(Unused)] Application name
First Seen Application version
Sensitivity Application type
Permitted Application Reason File size (bytes)
Application hash Category set
Hash type Category type
Company name Location
Application name Intensive Protection Level
Application version Certificate issuer
Application type Certificate signer
File size (bytes) Certificate thumbprint
Category set Signing timestamp
Category type Certificate serial number


14.2 MP1 (14.2.1015.0100) 14.2 RU1 (14.2.3332.1000) 14.3 RU1
Event Time Event Time Event Time
Severity Severity Severity
Host Name Host Name Host Name
SHA-256 Event Description Event Description
MD-5 Local Host IP Local Host IP
Event Description Local Host MAC Local Host MAC
Local Host IP Remote Host Name Remote Host Name
Local Host MAC Remote Host IP Remote Host IP
Remote Host Name Remote Host MAC Remote Host MAC
Remote Host IP Traffic Direction Traffic Direction
Remote Host MAC Network Protocol Network Protocol
Traffic Direction Hack Type Hack Type
Network Protocol Begin Time Begin Time
Hack Type End Time End Time
Begin Time Occurrences Occurrences
End Time Application Name Application Name
Occurrences Location Location
Application Name User Name User Name
Location Domain Name Domain Name
User Name Local Port Local Port
Domain Name Remote Port Remote Port
Local Port  CIDS Signature ID CIDS Signature ID
Remote Port  CIDS Signature string CIDS Signature string
CIDS Signature ID CIDS Signature SubID CIDS Signature SubID
CIDS Signature string Intrusion URL  Intrusion URL
CIDS Signature SubID Intrusion Payload URL Intrusion Payload URL
Intrusion URL SHA-256 SHA-256
Intrusion Payload URL  MD-5 MD-5
    Browser Protection


This change is by design. Please check with the vendor for instructions on performing these modifications.