Endpoint Protection

 View Only

  • 1.  Syslog Output from SEPM

    Posted Dec 01, 2011 07:31 AM

    Hey Guys, is there any useful information that can be captured in the syslog output from the SEPM? Curious if anyone is using it for alerting purposes.



  • 2.  RE: Syslog Output from SEPM

    Broadcom Employee
    Posted Dec 01, 2011 07:45 AM

    the risk events, health status event of SEPM would be the factors that can be considered



  • 3.  RE: Syslog Output from SEPM

    Posted Dec 01, 2011 09:15 AM

     

    0) External Log Timer:

    Task

    Initial Delay

    Frequency

    Description

    Type

    Product

    ExternalLoggingTask

    10 seconds

    1 minute

    Sends logs to Syslog Server and export logs to a dump file

    Fixed delay task

    SEP11.x & SEP12.x


  • 4.  RE: Syslog Output from SEPM

    Posted Dec 01, 2011 09:19 AM

    I am not following that last post? I know how to turn on the syslog. I am just not 100% sure what kind of data is in the output or if any of it is valuable to alert on.



  • 5.  RE: Syslog Output from SEPM

    Posted Dec 01, 2011 10:11 AM

    Syslog is a standard for computer data logging. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices which would otherwise be unable to communicate a means to notify administrators of problems or performance



  • 6.  RE: Syslog Output from SEPM

    Trusted Advisor
    Posted Dec 01, 2011 10:17 AM

    Hello,

    There are Lots of Logs which it could be used for.

    Check the Screenshots.

     

     

    Also, check this Article:

    https://www-secure.symantec.com/connect/forums/how-configure-external-logging-ssim-symantec-endpoint-protection

     

    Hope that helps!!



  • 7.  RE: Syslog Output from SEPM

    Posted Dec 01, 2011 10:21 AM

    I got it setup and working fine. Just need to see what the logs have to offer. Is there a master list of all the possible messages?



  • 8.  RE: Syslog Output from SEPM

    Trusted Advisor
    Posted Dec 02, 2011 10:33 AM
      |   view attached

    Hello STF,

    The "Symantec™ Event Collector 4.3 for Symantec Endpoint Protection 11.0 Quick Reference" that is attached below, is helpful and has some good examples, but I don't believe that it is comprehensive.  I'm not aware of any comprehensive list.

    Admins can configure the type and frequency of events that are exported from the SEPM to a syslog server.

    The following article may help, and there is mor ein the SEPM's built-in help files:

    Exporting data to a Syslog server (http://www.symantec.com/docs/HOWTO27571)

    You can also check the Administration guide found in the URL below for more info:

    ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/11.0/manuals/

    Hope that helps!!

    Attachment(s)

    zip
    SEC_for_SymEndpoint_43_0.zip   392 KB 1 version


  • 9.  RE: Syslog Output from SEPM

    Posted Dec 04, 2011 08:17 AM

    syslog "Priority" is a combination of Facility and Severity, sometime expressed as two values seperated by a dot (e.g. lpr.info).
    Syslog Facility can be changed by adjusting "Log Facility" in SEPM External Logging configuration