Hi *
We are runnning SEP 12.1ru6 with syslog forwarding towards syslog collector for several event types including network threat protection ones. The format that we receive the logs is the following one:
"Mar 11, 2016 10:54:01 CET","connection","SEP_1","<50>Mar 11 10:52:50 SymantecServer XXXXXXX: CLIENT_NAME,[SID: 28732] System Infected: Adware.Gen Activity 6 attack blocked. Traffic has been blocked for this application: C:\USERS\USERNAME\APPDATA\LOCAL\{09C53F99-2D6D-5321-40F5-76C9649D8A51}\UNINSTALL.EXE,Local: LOCAL_IP,Local: 000000000000,Remote: ,Remote: REMOTE_IP,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2016-03-11 10:52:01,End: 2016-03-11 10:52:01,Occurrences: 1,Application: C:/USERS/USERNAME/APPDATA/LOCAL/{09C53F99-2D6D-5321-40F5-76C9649D8A51}/UNINSTALL.EXE,Location: LAN,User: USERNAME,Domain: DOMAIN_NAME,Local Port 61492,Remote Port REMOTE_PORT,CIDS Signature ID: 28732,CIDS Signature string: System Infected: Adware.Gen Activity 6,CIDS Signature SubID: 66195,Intrusion URL: wcyud.com/?v=3.18&pcrc=904745976&LSVRDT=&ty=CHECK,Intrusion Payload URL:"
Now our problem is that in the syslog that we are receiving, we don't have any field that inform us the source of each line, and we must know it in order to process the information properly (so, we want to know if one line cames from risk, or form network threat, etc...). Is there any field in the sample provided that could help us on identifiying this? If not, is there any syslog option that we can use to identify it?
Kind regards.