Endpoint Protection

 View Only

  • 1.  Need some help with log messages for alerting

    Posted Jul 19, 2010 01:52 PM
    Hello all. My company is in the process of going from SAV to SEP. Our plan is to use the Syslog opttion in the SEPM, and send the log messages to our syslog device. From there, we want to send events (such as virus alrts, IPS detections, etc) to our SIEM for alerting and ticket creation. I have been unable to find a good list of possible codes or messages that Syslog would generate. Can anyone point me to a resource to see this messages so we can determine what we want to alert on? With SAV, we just scraped the flat files created for various codes found here --> http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002111911231448 amd here --> http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/c2063cf24d7d766688257480005cad20?OpenDocument But I have been unable to find similar information for Syslog messages from SEP 11. Any help would be appreciated.


  • 2.  RE: Need some help with log messages for alerting

    Posted Jul 19, 2010 02:02 PM
    Symantec Endpoint Protection 11.x event log entries
    http://service1.symantec.com/support/ent-security.nsf/docid/2008080711443448?Open&seg=ent


  • 3.  RE: Need some help with log messages for alerting

    Posted Jul 19, 2010 02:19 PM
    I am particulary interested in the eqiuvalent from this part of the SAV 10 info I linked above:

    08) LI_ACTION1: Primary Action configuration (Virus Found event only)
    1 - Quarantine infected file
    2 - Rename infected file
    3 - Delete infected file
    4 - Leave alone (log only)
    5 - Clean virus from file
    6 - Clean or delete macros
    Anything else - Unknown Action
    09) LI_ACTION2: Secondary Action configuration (Virus Found event only)
    1 - Quarantine infected file
    2 - Rename infected file
    3 - Delete infected file
    4 - Leave alone (log only)
    5 - Clean virus from file
    6 - Clean or delete macros
    Anything else - Unknown Action
    10) LI_ACTION0: Action Taken (Virus Found event only)
    1 - Quarantined
    2 - Renamed
    3 - Deleted
    4 - Left alone
    5 - Cleaned
    6 - Cleaned or macros deleted (no longer used as of Symantec AntiVirus 9.x)
    7 - Saved file as...
    8 - Sent to Intel (AMS)
    9 - Moved to backup location
    10 - Renamed backup file
    11 - Undo action in Quarantine View
    12 - Write protected or lack of permissions - Unable to act on file
    13 - Backed up file


    Is this info all still the same?  And if it is in the regular log in the database, is it the same via Syslog?  This is what I cant find.


  • 4.  RE: Need some help with log messages for alerting

    Posted Jul 19, 2010 02:38 PM
    Stil the same...yes


  • 5.  RE: Need some help with log messages for alerting

    Posted Jul 19, 2010 03:50 PM

    List of log entries:

    Just in case you don't have this:


    Title: 'Interpreting the log files for Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection'
    Document ID: 2002111911231448
    > Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002111911231448?Open&seg=ent