Listing of different type of events available on the SEPM into Monitors -> Logs

Article:TECH179005  |  Created: 2012-01-16  |  Updated: 2012-01-16  |  Article URL http://www.symantec.com/docs/TECH179005
Article Type
Technical Solution

Product(s)

Issue



This document is listing all the event type available on the SEPM  into Monitors ->  Logs.


Solution



1.      Audit

The Audit log and quick report contain information about policy modification events. The Audit log information includes the event time and type, policy, domain, site, user name, and description.

 

Event type:

All

Policy added

Policy deleted

Policy edited

Add shared policy upon system install

Add shared policy upon system upgrade

Add shared policy upon domain creation

 

 

2.      Compliance

Compliance logs and reports contain information about Enforcer servers, Enforcer clients , Enforcer traffic, and host compliance. The information also includes items such as the event times and types, Enforcer names, sites, and servers.

 

The following Compliance logs are available:

Ø  Enforcer Server

This log tracks communication between Enforcers and their management server. Information that is logged includes Enforcer name, when it connects to the management server, the event type, site, and server name.

 

Event type:

All

Enforcer registered

Enforcer failed to register

Enforcer downloaded policy

Enforcer downloaded sylink.xml

Server received enforcer log

Server received enforcer information

 

Ø  Enforcer Client

Provides the information on all Enforcer client connections, including peer-to-peer authentication information. Available information includes time, each Enforcer's name, type, site, remote host, and remote MAC address, and whether or not the client was passed, rejected, or authenticated.

 

Event type:

All

Gateway Enforcer

LAN Enforcer

DHCP Enforcer

Integrated Enforcer

NAP Enforcer

Peer-to-peer Enforcer

 

Ø  Enforcer Traffic

Provides some information about the traffic that moves through an Enforcer appliance. Available information includes the time, the Enforcer name, the Enforcer type, and site. The information also includes the local port that was used, the direction, action, and a count. You can filter on the connection attempts that were allowed or blocked.

 

Event type

All

Incoming traffic blocked

Outgoing traffic blocked

Incoming traffic allowed

Outgoing traffic allowed

 

Ø  Host Compliance

This log tracks the details of Host Integrity checks of clients. Available information includes the time, event type, domain/group, computer, user, operating system, description, and location.

 

Event type

All

Host integrity failed

Host integrity passed

Active Response canceled

Application Hijack

Host integrity failed but reported as PASS

Host integrity custom log entry

 

 

3.      Application and Device Control logs and quick reports

Application and Device Control logs and quick reports contain information about events where some type of behavior was blocked. Information includes items such as event times and types, actions taken, domains, hosts, rules, and caller processes. A caller process is the application or process that triggers the logging. Information is collected about application control and Tamper Protection, and about the hardware behavior and the software behavior that the Device Control technology detects.

You can use the default filter to view the logs and reports or you can configure the filter options to limit the data view. You can save a filter that you have customized so that you can use it in the future.

 

Application event type:

All

Application control driver

Application control rule

Tamper protection

 

Device event type

All

Device control disabled device

 

 

4.      Computer Status

The Computer Status logs and reports contain information about the operational status of the computers in your network, such as which computers are infected. Other information is available, such as computer names and IP addresses, last checkin time, definitions date, Auto-Protect status, server, group, domain, and user name. You can also run some commands from the Computer Status logs.

 

 

5.      Network Threat Protection logs and reports

The Network Threat Protection logs contain information about attacks on the firewall and about firewall traffic and packets. The Network Threat Protection logs also contain information about intrusion prevention. Information available includes items such as the time and the event type; action taken; severity; the direction, host name, IP address, and protocol involved.

 

Ø  Attack event type

All

Active response

Active response canceled

Active response disengaged

Applicaiotn hijack

Denial of service

Executable file change accepted

Executable file change denied

Intrusion prevention

MAC spoofing

N/A (invalid traffic by rule)

Port scan

Trojan

Browser Protection

 

Ø  Traffic event type:

All

Ethernet packet

ICMP packet

IP packet

Ping request

TCP initiated

TCP completed

UDP diagram

Other

 

Ø  Packets event type:

All

Raw Ethernet

 

 

6.      SONAR:

The SONAR logs contain information about the threats that have been detected by SONAR. SONAR detects any behavior that is similar to known risk behavior to detect unknown viruses and security risks.

 

Event type

Security Risk Found

Commercial Application detected

Forced SONAR threat detected

Application allowed

Potential risk found

Risk sample submitted to Symantec

Compressed file

 

 

7.      Risk

The Risk logs and reports include information about risk events on your server and their clients. Information available includes the event time, event actual action, user name, computer, risk name source, count, and file path.

 

Event type

Virus found

Security Risk found

Commercial application detected

Forced SONAR threat detected

Application allowed

Potential risk found

Risk sample submitted to Symantec

Compressed file

 

 

8.      Scan

The Scan logs and reports provide information about virus and spyware scan activity. Information available includes items such as the computer name, IP address, status, scan time, duration, and scan results.

 

9.      System

The System logs contain information about the event times, event types, sites, domains, servers, and severity levels.

 

The following system logs are available:

Ø  Administrative

Available information includes items such as event time and event type; the domain, site, and server involved; severity; administrator; and description.

 

Event type

All

Administrator events

Domain events

Replication events

Group events

User events

Computer events

Import events

Package events

Other events

WebService Events

 

Ø  Client-Server Activity

Available information includes items such as event time and event type; the domain, site, and server involved; client; and user name.

 

Event type

All

Registration succeeded

Registration failed

Client reconnected

Client disconnected

Downloaded policy

Downloaded Intrusion Prevention policy

Downloaded sylink.xml

Downloaded auto-upgrade file

Server received log

Log processing failed

Server received learned application

Server received client information

Client information processing failed

Hardware identity change

Downloaded command

Downloading content package

Downloading File Fingerprint list

 

Ø  Server Activity

Available information includes items such as event time and event type; the site and server involved; severity; description; and message.

 

Event type

All

Server events

Database maintenance events

Backup events

Radius Server events

Replication events

Find unmanaged computer events

Import events

Policy content updates

LiveUpdate events

Licenses events

Other events

 

Ø  Client Activity

Available information includes items such as event time, event type, event source, domain, description, site, computer, and severity.

 

Event type

All

Installation events

Service events

Configuration events

Host Integrity events

Import events

Client events

Client content update events

Server events

Policy events

Antivirus engine events

License events

Security events

Submission events

Other events

 

Ø  Enforcer Activity

Available information includes items such as event time, event type, enforcer name, enforcer type, site, severity, and description.

 

Event type

All

Management events

Enforcer events

Enable events

Policy events




Article URL http://www.symantec.com/docs/TECH179005


Terms of use for this information are found in Legal Notices