Endpoint Protection

Hi,

I fail to understand why the IP address is included in the E-mail alerts but is not included with the information sent to our syslog server?

Syslog entry:

Sep 16 09:17:46 endpoint.foobar SymantecServer endpoint.foobar: Virus found,Computer name: 226-2,Source: Real Time Scan,Risk name: Trojan.Dropper,Occurrences: 1,C:/Documents and Settings/testuser/Local Settings/Temporary Internet Files/Content.IE5/SO66RYKA/greeting[1].exe,"",Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2009-09-16 13:14:35,Inserted: 2009-09-16 13:17:34,End: 2009-09-16 13:10:42,Domain: Default,Group: My Company\MyGroup,Server: endpoint.foobar,User: testuser,Source computer: ,Source IP: 0.0.0.0

Email Alert:

Risk name: Trojan.Dropper
Event time: 2009-09-16 13:14:35 GMT
Database insert time: 2009-09-16 13:17:34 GMT
User: testuser
Computer: 226-2
IP Address: 130.xx.xx.xx
Domain: Default
Server: endpoint.foobar
Client Group: My Company\MyGroup
Action taken on risk: Cleaned by deletion

Thanks everyone.

 Well there isn't much option to configure that aswell. Just you can choose what log security, risk log etc..
So I guess this is how it is..
Are on the latest version of SEPM ? 11.0.4202.xx

Yes - 11.0.4202.75

I fail to see the logic in not including the IP address in the syslog reports. I mean, the information is there, why should email notifications be the only 'automated' way to get at this info?

Hi,

What I know of is that if you have e log solution like RSA you can create a ODBC connnection to the SQL server.
And then you can create sql querys to get this information out of the database.