The Splunk Add-on for Symantec Endpoint Protection (SEP) allows a Splunk platform administrator to collect data from Symantec Endpoint Protection Manager (SEPM) external logging dump files agt_security.log and agt_risk.log. After the events are indexed, the data can be consumed using Splunk's pre-built dashboard panels, which are included with the add-on. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk Enterprise apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.
After an upgrade to SEPM 14.2 RU1 (14.2.3332.1000), the Splunk Add-on for Symantec Endpoint Protection misindexes the dump files..
In 14.2 RU1, the external logging of agt_risk.log and agt_security.log was restructured:
This change is by design. Please check with the vendor for instructions on performing these modifications.