Symantec Endpoint Protection
Broadcom’s Symantec Endpoint Protection security suite delivers anti-malware, anti-virus, firewall, intrusion detection, and other features for servers and desktop computers.
The product includes two main components:
-
The Symantec Endpoint Protection Manager (SEPM) communicates with clients, maintains policies, provides an administrative console, and stores log data in Microsoft SQL Server or an embedded database. See Managing log data in Endpoint Protection Manager in the Broadcom Knowledge Base.
-
The Symantec Endpoint Protection client runs on client systems requiring protection.
See What is Symantec Endpoint Protection? in the Symantec Endpoint Protection Installation and Administration Guide for more information.
| The following steps and configuration samples were tested with SEPM 14.2. See Versions, system requirements, release dates, notes, and fixes for Symantec Endpoint Protection and Endpoint Security in the Broadcom Knowledge Base. |
Microsoft SQL Server database
Follow these steps to collect logs from the SEPM 14.2 Microsoft SQL Server 2012 database with NXLog Agent:
-
Create a Windows/SQL account with read permissions for the SEPM database.
-
Configure an ODBC 32-bit System Data Source on the server running NXLog Agent. For more information, consult the appropriate ODBC documentation: the Microsoft ODBC Data Source Administrator guide or the unixODBC Project.
-
Set an appropriate firewall rule on the database server that accepts connections from the host running NXLog Agent. See Configure a Windows Firewall for Database Engine Access on Microsoft Docs.
-
Configure NXLog Agent to collect logs via ODBC with the im_odbc module.
| If a custom query is needed, it may be helpful to consult the Database schema reference for Endpoint Protection 14.2 in the Broadcom Knowledge Base. |
This example uses the im_odbc module to connect to the Symantec Endpoint Protection Manager server through ODBC and gathers logs from the MSSQL database. The first query below collects alerts, and the second (commented) query collects audit events.
<Input in>
Module im_odbc
ConnectionString DSN=SymantecEndpointSecurityDSN; \
database=sem5;uid=user;pwd=password;
# Query for Virus Alerts
SQL SELECT DATEADD(s,convert(bigint,TIME_STAMP)/1000,'01-01-1970 00:00:00') \
AS EventTime,IDX,ALERT_IDX,COMPUTER_IDX,SOURCE,VIRUSNAME_IDX, \
FILEPATH,ALERTDATETIME,USER_NAME FROM V_ALERTS
# Alternative query for the Audit log
#SQL SELECT DATEADD(s,convert(bigint,TIMESTAMP)/1000,'01-01-1970 00:00:00') \
# AS EventTime,METHOD,ARGUMENTS,IP_ADDR FROM V_AUDIT_LOG
</Input>{
"EventTime": "2019-05-30T11:11:51.000000+02:00",
"IDX": "24589CFDC0A886955DE9A4EFE7A07839",
"ALERT_IDX": 1,
"COMPUTER_IDX": "B657A6F2C0A88695489EE7FC3069332A",
"SOURCE": "Real Time Scan",
"VIRUSNAME_IDX": "70CB3DDB77EE45CD4C5765A5EF4DAFD9",
"FILEPATH": "C:\\Windows\\Temp\\SECOH-QAD.exe",
"ALERTDATETIME": "2019-05-30T11:10:40.000000+02:00",
"USER_NAME": "SYSTEM",
"EventReceivedTime": "2019-05-30T15:25:27.510937+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}{
"EventTime": "2019-05-30T10:41:58.000000+02:00",
"METHOD": "RequestHandler.handleRequest()",
"ARGUMENTS": "Windows user:(SEPMInternal) logging in as:admin/(SEPMInternal) succeeded! at Thu May 30 12:41:58 CEST 2019",
"IP_ADDR": "127.0.0.1",
"EventReceivedTime": "2019-05-30T15:23:59.651649+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}Embedded database
Logs can be collected from the SEPM embedded database using the SAP SQL Anywhere Database Client with the im_odbc module. Configuring NXLog Agent to access the logs directly is not possible due to the embedded database’s limitations.
-
Download and install the SAP SQL Anywhere Database Client.
-
Configure NXLog Agent to collect logs via ODBC with the im_odbc module. Specify SQL Anywhere as ODBC Driver in the ConnectionString directive.
| For technical information about querying the embedded database, check How to query the SEPM embedded database in the Broadcom Knowledge Base. |
| If you need to migrate the embedded database to an MSSQL database, consult Moving from the embedded database to Microsoft SQL Server in the Broadcom Knowledge Base. |
This example uses the im_odbc module to connect to the Symantec Endpoint Protection Manager embedded database through ODBC using the SQL Anywhere driver. The first query below collects alerts, and the second (commented) query collects audit events.
<Input in>
Module im_odbc
ConnectionString Driver=SQL Anywhere 17;ENG=Host; \
UID=user;PWD=password;DBN=sem5;LINKS=ShMem;
# Query for Virus Alerts
SQL SELECT DATEADD(ss, TIME_STAMP/1000, '1970-01-01 00:00:00') AS EventTime, \
IDX,Alert_IDX,Computer_IDX,Source,Virusname_IDX,FilePath,AlertDateTime, \
User_Name,Last_Log_Session_Guid FROM V_ALERTS
# Alternative query for the Audit log
#SQL SELECT DATEADD(ss, TIMESTAMP/1000, '1970-01-01 00:00:00') AS EventTime, \
# Method,Arguments,IP_ADDR FROM V_AUDIT_LOG
Exec $EventTime = strftime($EventTime, 'YYYY-MM-DDThh:mm:ss.sTZ');
</Input>{
"EventTime": "2019-05-29T17:12:20.000000+02:00",
"IDX": "9B597DD0C0A8868C6DB24C4E332BA2EB",
"Alert_IDX": 1,
"Computer_IDX": "D93E2505C0A8868C4AB07113C78CD110",
"Source": "Real Time Scan",
"Virusname_IDX": "70CB3DDB77EE45CD4C5765A5EF4DAFD9",
"FilePath": "C:\\Windows\\SECOH-QAD.exe",
"AlertDateTime": "2019-05-29T17:09:54.000000+02:00",
"User_Name": "SYSTEM",
"Last_Log_Session_Guid": "20b4e2887f1c4ea89095e2c67b1ef047",
"EventReceivedTime": "2019-05-29T19:24:15.534487+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}{
"EventTime": "2019-05-29T09:44:23.000000+02:00",
"Method": "RequestHandler.handleRequest()",
"Arguments": "Windows user:(SEPMInternal) logging in as:admin/(SEPMInternal) succeeded! at Wed May 29 11:44:23 CEST 2019",
"IP_ADDR": "127.0.0.1",
"EventReceivedTime": "2019-05-29T18:54:51.279574+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}