Hi,
We're trying to do Symantec Enpoint Protection 12.1.x Log entegration with Logsign(SIEM Software) .
The logs are made syslog forwarding:
"Jun 22 11:26:05 SymantecServer xxxxx: Scan ID: 1434361708,Begin: 2015-06-22 03:04:04,End: ,Started,Duration (seconds): 0,User1: xxxxx,User2: ,'Scan started on selected drives and folders and all extensions.',,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: xxxxx,IP Address: xxxxx,Domain: Default,Group: My Company\\MOBIL\\X64,Server: xxxxx"
"Jun 22 11:23:25 SymantecServer xxxxx: Scan ID: 1433759314,Begin: 2015-06-22 08:17:27,End: 2015-06-22 08:17:44,Completed,Duration (seconds): 17,User1: SYSTEM,User2: SYSTEM,'Scan started on selected drives and folders and all extensions.','Scan Complete: Risks: 0 Scanned: 724 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 652',Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 724,Omitted: 0,Computer: xxxxx,IP Address: xxxxx,Domain: Default,Group: My Company\\xxxxxx\\X64,Server: xxxxxx"
Log Reference doc is :
https://support.symantec.com/en_US/article.TECH186925.html
Raw Event Code
GL_EVENT_SCAN_STOP
GL_EVENT_SCAN_START
We could not understand these differences. Log referance guide and my sample logs mismatch. About this topic need to information.
Thanks
Kadir