Symantec Endpoint Protection

The Symantec Endpoint Protection security suite provides anti-malware, anti-virus, firewall, intrusion detection, and other features for servers and desktop computers. The product includes two main components: the Symantec Endpoint Protection client which runs on client systems requiring protection; and the Symantec Endpoint Protection Manager (SEPM) which communicates with clients, maintains policies, provides an administrative console, and stores log data. For more information, see What is Symantec Endpoint Protection? on Symantec Support.

Symantec Endpoint Protection Manager (SEPM) stores log data in an MSSQL Server database or in an embedded database. For more details, see Managing log data in the Symantec Endpoint Protection Manager (SEPM) on Symantec Support.

The following steps and configurations were tested with SEPM 14.2; see Released versions of Symantec Endpoint Protection on Symantec Support.

MSSQL Server database

To collect logs from the SEPM 14.2 MSSQL 2012 database with NXLog, complete these actions:

  1. Create a Windows/SQL account with read permissions for the SEPM database.

  2. Configure an ODBC 32-bit System Data Source on the server running NXLog. For more information, consult the relevant ODBC documentation: the Microsoft ODBC Data Source Administrator guide or the unixODBC Project.

  3. Set an appropriate firewall rule on the database server that accepts connections from the server running NXLog. For more information, see Configure a Windows Firewall for Database Engine Access on Microsoft Docs.

  4. Configure NXLog to collect logs via ODBC with the im_odbc module.

If a custom query is needed, it may be helpful to consult the Database schema reference for Endpoint Protection 14.x on Symantec Support.
Example 1. Collecting SEPM logs from SQL database

This example uses the im_odbc module to connect to the Symantec Endpoint Protection Manager server via ODBC and collect logs from the MSSQL database. The first query below collects alerts and the second (commented) query collects audit events.

nxlog.conf
<Input in>
    Module              im_odbc
    ConnectionString    DSN=SymantecEndpointSecurityDSN; \
                        database=sem5;uid=user;pwd=password;

    # Query for Virus Alerts
    SQL SELECT DATEADD(s,convert(bigint,TIME_STAMP)/1000,'01-01-1970 00:00:00') \
        AS EventTime,IDX,ALERT_IDX,COMPUTER_IDX,SOURCE,VIRUSNAME_IDX, \
        FILEPATH,ALERTDATETIME,USER_NAME FROM V_ALERTS

    # Alternative query for the Audit log
    #SQL SELECT DATEADD(s,convert(bigint,TIMESTAMP)/1000,'01-01-1970 00:00:00') \
    #    AS EventTime,METHOD,ARGUMENTS,IP_ADDR FROM V_AUDIT_LOG
</Input>
Event sample (alerts log)
{
  "EventTime": "2019-05-30T11:11:51.000000+02:00",
  "IDX": "24589CFDC0A886955DE9A4EFE7A07839",
  "ALERT_IDX": 1,
  "COMPUTER_IDX": "B657A6F2C0A88695489EE7FC3069332A",
  "SOURCE": "Real Time Scan",
  "VIRUSNAME_IDX": "70CB3DDB77EE45CD4C5765A5EF4DAFD9",
  "FILEPATH": "C:\\Windows\\Temp\\SECOH-QAD.exe",
  "ALERTDATETIME": "2019-05-30T11:10:40.000000+02:00",
  "USER_NAME": "SYSTEM",
  "EventReceivedTime": "2019-05-30T15:25:27.510937+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}
Event sample (audit log)
{
  "EventTime": "2019-05-30T10:41:58.000000+02:00",
  "METHOD": "RequestHandler.handleRequest()",
  "ARGUMENTS": "Windows user:(SEPMInternal) logging in as:admin/(SEPMInternal) succeeded! at Thu May 30 12:41:58 CEST 2019",
  "IP_ADDR": "127.0.0.1",
  "EventReceivedTime": "2019-05-30T15:23:59.651649+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}

Embedded database

Logs can be collected from the SEPM embedded database by using the SAP SQL Anywhere Database Client with the im_odbc module. Configuring NXLog to access the logs directly is not possible due to limitations of the embedded database.

  1. Download and install the SAP SQL Anywhere Database Client.

  2. Configure NXLog to collect logs via ODBC with the im_odbc module. Specify SQL Anywhere as the ODBC Driver in the ConnectionString directive.

For more technical information about querying the embedded database, check How to query the SEPM embedded database on Symantec Support.
If it becomes necessary to migrate the embedded database to an MSSQL database, consult Moving from the embedded database to Microsoft SQL Server on Symantec Support.
Example 2. Collecting Symantec logs from the embedded database

This example uses the im_odbc module to connect to the Symantec Endpoint Protection Manager embedded database via ODBC with the SQL Anywhere driver. The first query below collects alerts and the second (commented) query collects audit events.

nxlog.conf
<Input in>
    Module           im_odbc
    ConnectionString Driver=SQL Anywhere 17;ENG=Host; \
                     UID=user;PWD=password;DBN=sem5;LINKS=ShMem;

    # Query for Virus Alerts
    SQL SELECT DATEADD(ss, TIME_STAMP/1000, '1970-01-01 00:00:00') AS EventTime, \
        IDX,Alert_IDX,Computer_IDX,Source,Virusname_IDX,FilePath,AlertDateTime, \
        User_Name,Last_Log_Session_Guid FROM V_ALERTS

    # Alternative query for the Audit log
    #SQL SELECT DATEADD(ss, TIMESTAMP/1000, '1970-01-01 00:00:00') AS EventTime, \
    #    Method,Arguments,IP_ADDR FROM V_AUDIT_LOG

    Exec    $EventTime = strftime($EventTime, 'YYYY-MM-DDThh:mm:ss.sTZ');
</Input>
Event sample (alerts log)
{
  "EventTime": "2019-05-29T17:12:20.000000+02:00",
  "IDX": "9B597DD0C0A8868C6DB24C4E332BA2EB",
  "Alert_IDX": 1,
  "Computer_IDX": "D93E2505C0A8868C4AB07113C78CD110",
  "Source": "Real Time Scan",
  "Virusname_IDX": "70CB3DDB77EE45CD4C5765A5EF4DAFD9",
  "FilePath": "C:\\Windows\\SECOH-QAD.exe",
  "AlertDateTime": "2019-05-29T17:09:54.000000+02:00",
  "User_Name": "SYSTEM",
  "Last_Log_Session_Guid": "20b4e2887f1c4ea89095e2c67b1ef047",
  "EventReceivedTime": "2019-05-29T19:24:15.534487+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}
Event sample (audit log)
{
  "EventTime": "2019-05-29T09:44:23.000000+02:00",
  "Method": "RequestHandler.handleRequest()",
  "Arguments": "Windows user:(SEPMInternal) logging in as:admin/(SEPMInternal) succeeded! at Wed May 29 11:44:23 CEST 2019",
  "IP_ADDR": "127.0.0.1",
  "EventReceivedTime": "2019-05-29T18:54:51.279574+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 03 December 2019