Endpoint Protection

 View Only
  • 1.  Syslog message format

    Posted Feb 07, 2011 11:34 AM

    Hi guys,

    Do you know where I could find an exhaustive list of SYSLOG messages produced by Symantec Endpoint Protection server? I'm using syslog to forward events to a central location but I can't find any references/documentation about the format of the messages.

    Thanks



  • 2.  RE: Syslog message format

    Posted Feb 07, 2011 01:15 PM
      |   view attached

    Start on page 39 (Ch.2) of this document

    Attachment(s)

    zip
    SEC_for_SymEndpoint_43.zip   392 KB 1 version


  • 3.  RE: Syslog message format

    Posted Feb 08, 2011 05:34 AM

    Hi Brian,

    Thanks for your time and answer but unfrotunately the documentation doesn't contain information about SYSLOG message format. It seems to be for Symantec Event collector but not Symantec Endpoint Manager.

     

    Here some of the message I have using syslog:

    Jan 30 22:07:50 192.168.1.1 SymantecServer PIPO-SRV: Site: PIPO-SRV,Server: PIPO-SRV,LUALL.EXE has been launched.

    Jan 28 13:20:54 192.168.1.1 SymantecServer PIPO-SRV: Site: PIPO-SRV,Server: PIPO-SRV,Domain: MyDomain,Admin: admin,Policy has been edited,TestServers policy LiveUpdate

    Jan 28 13:24:39 192.168.1.1 SymantecServer PIPO-SRV: server11,Category: 0,Smc,Connected to Symantec Endpoint Protection Manager (192.168.1.1)

     

    Jan 29 01:33:20 192.168.1.1 SymantecServer PIPO-SRV: Site: PIPO-SRV,Server: PIPO-SRV,Domain: MyDomain,The management server received the client log successfully,server11,,johndoe,LocalComputer
     
    Jan 29 01:38:50 192.168.1.1 SymantecServer PIPO-SRV: Scan ID: 1296264604,Begin: 2011-01-29 01:29:50,End: 2011-01-29,Completed,Duration (seconds): 98,User1: SYSTEM,User2: SYSTEM,"Scan started on selected drives and folders and all extensions.","Scan Complete:  Risks: 0   Scanned: 891   Files/Folders/Drives Omitted: 0",Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 891,Omitted: 0,Computer: MyServer15,IP Address: 192.168.1.1,Domain: MyDomain,Group: My Company\MyDomain_DC\Virtual Servers,Server: PIPO-SRV
     
    Jan 28 13:20:46 192.168.1.1 SymantecServer PIPO-SRV: Site: PIPO-SRV,Server: PIPO-SRV,Domain: Unknown domain (),Admin: johndoe,Administrator  log on failed
     
    Obviously there are lot of different messages for each event  ("administrator log on failed", "virus detected" etc... ) and I'm lookinf for a reference document.
     
    Thanks for your help
     
    If you need more information don't hesitate,
     
    Regards,
     

     

     



  • 4.  RE: Syslog message format

    Posted Feb 08, 2011 06:31 AM

    Hi pdarmanin,

     

    The "Symantec™ Event Collector 4.3 for Symantec Endpoint Protection 11.0 Quick Reference" that Brian recommended, above, is helpful and has some good examples, but I don't believe that it is comprehensive.  I'm not aware of any comprehensive list.

     

    Admins can configure the type and frequency of events that are exported from the SEPM to a syslog server.

     

    The following article may help, and there is mor ein the SEPM's built-in help files:

    Exporting data to a Syslog server (http://www.symantec.com/docs/HOWTO27571)

     

    Thanks and best regards,

     

    Mick



  • 5.  RE: Syslog message format

    Posted Feb 09, 2011 02:56 PM

     

    Hi Mick,

    Thanks for your reply but It doesn't quite answer my questions (Excepts if I missed something within the documented you are refering to).

    Does it mean Symantec don't have any documentation about the SYSLOG messages format used by Symantec Endpoint Protection?

    Many thanks for your time and help,