Video Screencast Help

Is there a logging reference guide for SEP 12?

Created: 20 Jun 2012 | 17 comments

We're trying to get our Symantec data into Splunk along with the rest of our security products.  The lack of a consistent logging format for events is making this quite challenging.  Since we can't be sure that our system has generated one of each event, we're looking for a log reference guide so we can understand the format better.

Where can I find one?

Thx.

Craig

Comments 17 CommentsJump to latest comment

AravindKM's picture

Whether these KBs can help you?

Symantec Endpoint Protection 11.x event log entries

 

Symantec Endpoint Protection 12.1.x event log entries

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

responsys_cm's picture

I'm talking about events that the SEP server sends to syslog.  Here is an example:

Jun 20 14:53:43 10.40.10.61 Jun 20 14:54:46 SymantecServer CORP: Potential risk found,Computer name: CORPE642,Detection type: 4,First Seen: Reputation was not used in this detection.,Application name: Microsoft® Windows® Operating System,Application type: Trojan Worm,Application version: 6.1.7600.16385,Hash type: SHA-256,Application hash: 0000000000000000000000000000000000000000000000000000000000000002,Company name: Microsoft Corporation,File size (bytes): 20992,Sensitivity: 127,Detection score: 0,COH Engine Version: ,Detection Submissions No,Permitted application reason: 0,Disposition: Good,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,Risk Level: Reputation was not used in this detection.,Detection Source: N/A,Source: Heuristic Scan,Risk name: ,Occurrences: 1,c:\windows\system32\svchost.exe,"",Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2012-06-20 21:19:57,Inserted: 2012-06-20 21:54:46,End: 2012-06-20 21:19:57,Domain: Test,Group: My Company\Office,Server: CORP,User: SYSTEM,Source computer: ,Source IP: 0.0.0.0
AravindKM's picture

Please have a look at this KB

Convert Endpoint Protection Manager syslog.log Timestamp to Standard Timestamp

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

responsys_cm's picture

I want a document that outlines every unique log message generated by the product.  Cisco provides something like this page:

http://www.cisco.com/en/US/docs/security/asa/asa82...

Does Symantec not have some kind of equivalent?  It's an awful lot of work to go through the GUI (or command line) and generate every single administrative action we might want to monitor.  And it's almost impossible to simulate failures of product components which we may wish to alert or report on.

C

.Brian's picture

I can't say for sure that one does or doesn't exist but usually when I need info like this, I refer to the Schema document. This may or may not help but I'll post for you to review.

AttachmentSize
Schema_Reference_Guide_SEP12.1.pdf 1.34 MB

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ian_C.'s picture

Hi Brian.

The schema identifies where in the database the data is stored and what type the data is. The comments column helps to understand what data is stored here.

Unfortunately, it does not give you samples of

  • this is what a line entry looks like for definition updates
  • this is what a line entry looks like for an infection detection
  • this is what a line entry looks like for blocking an infection
  • this is what a line entry looks like for repairing an infection
  • this is what a line entry looks like for a normal heartbeat

I believe NGM is looking for a description of those bullet list items.

Please mark the post that best solves your problem as the answer to this thread.
.Brian's picture

I'm aware but unless Symantec has an internal one, I don't believe there is one available publicly. I simply posted with the remote hope that it may help somehow.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

jeimues's picture

I found more information in this link, for the events 20344, 21260

http://uk.norton.com/security_response/threatexplorer/search.jsp

 

 

[SID: 20344] Attack: HTTP htdig File Disclosure CVE-2000-0208 attack blocked. Traffic has been blocked for this application:
[SID: 21260] OS Attack: NetBIOS MS PnP QueryResConflist BO attack blocked. Traffic has been blocked for this application: 

 

 

 

Ian_C.'s picture

Either this needs to turn into an idea that Symantec will review

or

we start another little community project that records which entries are known about by community members. This would be similar to the SQL queries thread.

 

Please mark the post that best solves your problem as the answer to this thread.
John Santana's picture

is there any specific SQL query to do get this type of information ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Ian_C.'s picture

@John

Are you looking for a query to give you the log files?

respons_sys has not asked for the log files, but for definitions of the log file designs when it comes to syslog environments.

 

Please mark the post that best solves your problem as the answer to this thread.
John Santana's picture

@Ian,

Yes if that is possible ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Ian_C.'s picture

Ian C. Are you looking for a query to give you the log files?

John S. Yes if that is possible ?

Hi John. I'll respond to the above quoted comments.

Have a look at the database SQL queries thread that I try to keep updated.

Specifically this comment by me will give you the raw data of the log files. Remember to remove the two WHERE [EVENT+SOURCE] = 'SYLINK' clauses.

Toby posted a very nice query. It is SEP12 specific.

 

Please mark the post that best solves your problem as the answer to this thread.
John Santana's picture

Many thanks Ian for the update !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Ian_C.'s picture

@responsys_cm

I think  I have an answer for you.

Have a look at article #100099 - Interpreting the log files for Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection

and maybe also at #102052 - Explanation of Action field values in Symantec Endpoint Protection 11 and Symantec AntiVirus 10.1

 

Please mark the post that best solves your problem as the answer to this thread.