NXLog Documentation

Symantec Endpoint Protection

Broadcom’s Symantec Endpoint Protection security suite delivers anti-malware, anti-virus, firewall, intrusion detection, and other features for servers and desktop computers.

The product includes two main components:

  • The Symantec Endpoint Protection Manager (SEPM) communicates with clients, maintains policies, provides an administrative console, and stores log data in Microsoft SQL Server or an embedded database. See Managing log data in Endpoint Protection Manager in the Broadcom Knowledge Base.

  • The Symantec Endpoint Protection client runs on client systems requiring protection.

See What is Symantec Endpoint Protection? in the Symantec Endpoint Protection Installation and Administration Guide for more information.

The following steps and configuration samples were tested with SEPM 14.2. See Versions, system requirements, release dates, notes, and fixes for Symantec Endpoint Protection and Endpoint Security in the Broadcom Knowledge Base.

Microsoft SQL Server database

Follow these steps to collect logs from the SEPM 14.2 Microsoft SQL Server 2012 database with NXLog:

  1. Create a Windows/SQL account with read permissions for the SEPM database.

  2. Configure an ODBC 32-bit System Data Source on the server running NXLog. For more information, consult the appropriate ODBC documentation: the Microsoft ODBC Data Source Administrator guide or the unixODBC Project.

  3. Set an appropriate firewall rule on the database server that accepts connections from the host running NXLog. See Configure a Windows Firewall for Database Engine Access on Microsoft Docs.

  4. Configure NXLog to collect logs via ODBC with the im_odbc module.

If a custom query is needed, it may be helpful to consult the Database schema reference for Endpoint Protection 14.2 in the Broadcom Knowledge Base.
Example 1. Collecting SEPM logs from Microsoft SQL Server

This example uses the im_odbc module to connect to the Symantec Endpoint Protection Manager server through ODBC and gathers logs from the MSSQL database. The first query below collects alerts, and the second (commented) query collects audit events.

nxlog.conf
<Input in>
    Module              im_odbc
    ConnectionString    DSN=SymantecEndpointSecurityDSN; \
                        database=sem5;uid=user;pwd=password;

    # Query for Virus Alerts
    SQL SELECT DATEADD(s,convert(bigint,TIME_STAMP)/1000,'01-01-1970 00:00:00') \
        AS EventTime,IDX,ALERT_IDX,COMPUTER_IDX,SOURCE,VIRUSNAME_IDX, \
        FILEPATH,ALERTDATETIME,USER_NAME FROM V_ALERTS

    # Alternative query for the Audit log
    #SQL SELECT DATEADD(s,convert(bigint,TIMESTAMP)/1000,'01-01-1970 00:00:00') \
    #    AS EventTime,METHOD,ARGUMENTS,IP_ADDR FROM V_AUDIT_LOG
</Input>
Event sample (alerts log)
{
  "EventTime": "2019-05-30T11:11:51.000000+02:00",
  "IDX": "24589CFDC0A886955DE9A4EFE7A07839",
  "ALERT_IDX": 1,
  "COMPUTER_IDX": "B657A6F2C0A88695489EE7FC3069332A",
  "SOURCE": "Real Time Scan",
  "VIRUSNAME_IDX": "70CB3DDB77EE45CD4C5765A5EF4DAFD9",
  "FILEPATH": "C:\\Windows\\Temp\\SECOH-QAD.exe",
  "ALERTDATETIME": "2019-05-30T11:10:40.000000+02:00",
  "USER_NAME": "SYSTEM",
  "EventReceivedTime": "2019-05-30T15:25:27.510937+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}
Event sample (audit log)
{
  "EventTime": "2019-05-30T10:41:58.000000+02:00",
  "METHOD": "RequestHandler.handleRequest()",
  "ARGUMENTS": "Windows user:(SEPMInternal) logging in as:admin/(SEPMInternal) succeeded! at Thu May 30 12:41:58 CEST 2019",
  "IP_ADDR": "127.0.0.1",
  "EventReceivedTime": "2019-05-30T15:23:59.651649+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}

Embedded database

Logs can be collected from the SEPM embedded database using the SAP SQL Anywhere Database Client with the im_odbc module. Configuring NXLog to access the logs directly is not possible due to the embedded database’s limitations.

  1. Download and install the SAP SQL Anywhere Database Client.

  2. Configure NXLog to collect logs via ODBC with the im_odbc module. Specify SQL Anywhere as ODBC Driver in the ConnectionString directive.

For technical information about querying the embedded database, check How to query the SEPM embedded database in the Broadcom Knowledge Base.
If you need to migrate the embedded database to an MSSQL database, consult Moving from the embedded database to Microsoft SQL Server in the Broadcom Knowledge Base.
Example 2. Collecting SEPM logs from the embedded database

This example uses the im_odbc module to connect to the Symantec Endpoint Protection Manager embedded database through ODBC using the SQL Anywhere driver. The first query below collects alerts, and the second (commented) query collects audit events.

nxlog.conf
<Input in>
    Module           im_odbc
    ConnectionString Driver=SQL Anywhere 17;ENG=Host; \
                     UID=user;PWD=password;DBN=sem5;LINKS=ShMem;

    # Query for Virus Alerts
    SQL SELECT DATEADD(ss, TIME_STAMP/1000, '1970-01-01 00:00:00') AS EventTime, \
        IDX,Alert_IDX,Computer_IDX,Source,Virusname_IDX,FilePath,AlertDateTime, \
        User_Name,Last_Log_Session_Guid FROM V_ALERTS

    # Alternative query for the Audit log
    #SQL SELECT DATEADD(ss, TIMESTAMP/1000, '1970-01-01 00:00:00') AS EventTime, \
    #    Method,Arguments,IP_ADDR FROM V_AUDIT_LOG

    Exec    $EventTime = strftime($EventTime, 'YYYY-MM-DDThh:mm:ss.sTZ');
</Input>
Event sample (alerts log)
{
  "EventTime": "2019-05-29T17:12:20.000000+02:00",
  "IDX": "9B597DD0C0A8868C6DB24C4E332BA2EB",
  "Alert_IDX": 1,
  "Computer_IDX": "D93E2505C0A8868C4AB07113C78CD110",
  "Source": "Real Time Scan",
  "Virusname_IDX": "70CB3DDB77EE45CD4C5765A5EF4DAFD9",
  "FilePath": "C:\\Windows\\SECOH-QAD.exe",
  "AlertDateTime": "2019-05-29T17:09:54.000000+02:00",
  "User_Name": "SYSTEM",
  "Last_Log_Session_Guid": "20b4e2887f1c4ea89095e2c67b1ef047",
  "EventReceivedTime": "2019-05-29T19:24:15.534487+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}
Event sample (audit log)
{
  "EventTime": "2019-05-29T09:44:23.000000+02:00",
  "Method": "RequestHandler.handleRequest()",
  "Arguments": "Windows user:(SEPMInternal) logging in as:admin/(SEPMInternal) succeeded! at Wed May 29 11:44:23 CEST 2019",
  "IP_ADDR": "127.0.0.1",
  "EventReceivedTime": "2019-05-29T18:54:51.279574+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_odbc"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

Symantec Endpoint Protection Manager 14.2
SAP SQL Anywhere 17.0
NXLog version 5.5.7535
Windows 10

Last revision: 27 June 2022