Endpoint Protection Small Business Edition

Hi,

We're trying to do Symantec Enpoint Protection 12.1.x Log entegration with Logsign(SIEM Software) . 

The logs are made syslog forwarding:

"Jun 22 11:26:05 SymantecServer xxxxx: Scan ID: 1434361708,Begin: 2015-06-22 03:04:04,End: ,Started,Duration (seconds): 0,User1: xxxxx,User2: ,'Scan started on selected drives and folders and all extensions.',,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: xxxxx,IP Address: xxxxx,Domain: Default,Group: My Company\\MOBIL\\X64,Server: xxxxx"

"Jun 22 11:23:25 SymantecServer xxxxx: Scan ID: 1433759314,Begin: 2015-06-22 08:17:27,End: 2015-06-22 08:17:44,Completed,Duration (seconds): 17,User1: SYSTEM,User2: SYSTEM,'Scan started on selected drives and folders and all extensions.','Scan Complete:  Risks: 0   Scanned: 724   Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 652',Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 724,Omitted: 0,Computer: xxxxx,IP Address: xxxxx,Domain: Default,Group: My Company\\xxxxxx\\X64,Server: xxxxxx"

Log Reference doc is : 

https://support.symantec.com/en_US/article.TECH186925.html

Raw Event Code

GL_EVENT_SCAN_STOP

GL_EVENT_SCAN_START

We could not understand these differences. Log referance guide and my sample logs mismatch. About this topic need to information.

Thanks

Kadir

I want to understand clearly that. This log format:

"Jun 22 11:26:05 SymantecServer xxxxx: Scan ID: 1434361708,Begin: 2015-06-22 03:04:04,End: ,Started,Duration (seconds): 0,User1: xxxxx,User2: ,'Scan started on selected drives and folders and all extensions.',,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer:xxxxx,IP Address: xxxxx,Domain: Default,Group: My Company\\xxxx, Server: xxxxx"

Does SEP's own log format?

https://support.symantec.com/en_us/article.tech186925.html

I do not understand this point:  "Event Number" and "Event Raw Code"  

Why do not these fields in log?

Similar problem: https://www-secure.symantec.com/connect/forums/there-logging-reference-guide-sep-12

Kadir

The logs sent from SEPM to the Enternal logging server are in the same format as the logs exported from logs page in SEPM.

For example the scan log format sent to external logging server will be in the same format as the scan log exported from the logs page of SEPM (as seen in the screenshot).

The details mentioned in the article TECH186925 are not related SEPM external logging format. They are related to Windows event viewer.

Thanks for the explanation. Not only scan log, there are many different log format. I'm looking for the log reference document. But I could not find.
I sent as an attachment another sample log format. 

Do you have html format of this log? I've shared a screenshot from Cisco for example. 

I saw also the following log format. I sent as an attachment. Understandably log format(CEF).

Could you inform the log format?

||EVENT_ID|501|EVENT_TIME|1164985804796|DOMAIN_ID|default|SITE_ID|
Site Ferd|SERVER_ID|carrick|GROUP_ID|global/clientpeeps|SEVERITY_AB|
15|HOST_NAME|charlton|ACTION_AB|3|TEST_MODE|1|DESCRIPTION|
OS Protection is ready|VAPI_NAME|System|RULE_ID|ff7589|RULE_NAME|
Built-in rule|CALLER_PROCESS_NAME_AB|SysPlant|PARAMETER|
c:\someapplication|ALERT_AB|221|USER_NAME|None|DOMAIN_NAME|None|
TIME_STAMP|1164967908625|

Kadir
 

Attachment(s)

symantec sepm logs.txt   3 KB 1 version

SEC_for_SymEndpoint_43_0.pdf   617 KB 1 version

Please check if this is helpful.

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/11.0/manuals/mr2/schema_reference_guide.pdf

Just give us some idea.

With our own way, we will try to parse.

Finally, " Do you have the html format of the log? "

Thank you for your support