90. Symantec Endpoint Protection
The Symantec Endpoint Protection security suite provides anti-malware, anti-virus, firewall, intrusion detection, and other features for servers and desktop computers. The product includes two main components: the Symantec Endpoint Protection client which runs on client systems requiring protection; and the Symantec Endpoint Protection Manager (SEPM) which communicates with clients, maintains policies, provides an administrative console, and stores log data. For more information, see What is Symantec Endpoint Protection? on Symantec Support.
Symantec Endpoint Protection Manager (SEPM) stores log data in an MSSQL Server database or in an embedded database. For more details, see Managing log data in the Symantec Endpoint Protection Manager (SEPM) on Symantec Support.
|
Note
|
The following steps and configurations were tested with SEPM 14.2; see Released versions of Symantec Endpoint Protection on Symantec Support. |
90.1. MSSQL Server Database
To collect logs from the SEPM 14.2 MSSQL 2012 database with NXLog, complete these actions:
-
Create a Windows/SQL account with read permissions for the SEPM database.
-
Configure an ODBC 32-bit System Data Source on the server running NXLog. For more information, consult the relevant ODBC documentation: the Microsoft ODBC Data Source Administrator guide or the unixODBC Project.
-
Set an appropriate firewall rule on the database server that accepts connections from the server running NXLog. For more information, see Configure a Windows Firewall for Database Engine Access on Microsoft Docs.
-
Configure NXLog to collect logs via ODBC with the im_odbc module.
|
Tip
|
If a custom query is needed, it may be helpful to consult the Database schema reference for Endpoint Protection 14.x on Symantec Support. |
This example uses the im_odbc module to connect to the Symantec Endpoint Protection Manager server via ODBC and collect logs from the MSSQL database. The first query below collects alerts and the second (commented) query collects audit events.
![[Download file]](images/icons/download_icon.png "Download file"){kind=icon}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<Input in>
Module im_odbc
ConnectionString DSN=SymantecEndpointSecurityDSN; \
database=sem5;uid=user;pwd=password;
# Query for Virus Alerts
SQL SELECT DATEADD(s,convert(bigint,TIME_STAMP)/1000,'01-01-1970 00:00:00') \
AS EventTime,IDX,ALERT_IDX,COMPUTER_IDX,SOURCE,VIRUSNAME_IDX, \
FILEPATH,ALERTDATETIME,USER_NAME FROM V_ALERTS
# Alternative query for the Audit log
#SQL SELECT DATEADD(s,convert(bigint,TIMESTAMP)/1000,'01-01-1970 00:00:00') \
# AS EventTime,METHOD,ARGUMENTS,IP_ADDR FROM V_AUDIT_LOG
</Input>
{
"EventTime": "2019-05-30T11:11:51.000000+02:00",
"IDX": "24589CFDC0A886955DE9A4EFE7A07839",
"ALERT_IDX": 1,
"COMPUTER_IDX": "B657A6F2C0A88695489EE7FC3069332A",
"SOURCE": "Real Time Scan",
"VIRUSNAME_IDX": "70CB3DDB77EE45CD4C5765A5EF4DAFD9",
"FILEPATH": "C:\\Windows\\Temp\\SECOH-QAD.exe",
"ALERTDATETIME": "2019-05-30T11:10:40.000000+02:00",
"USER_NAME": "SYSTEM",
"EventReceivedTime": "2019-05-30T15:25:27.510937+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}{
"EventTime": "2019-05-30T10:41:58.000000+02:00",
"METHOD": "RequestHandler.handleRequest()",
"ARGUMENTS": "Windows user:(SEPMInternal) logging in as:admin/(SEPMInternal) succeeded! at Thu May 30 12:41:58 CEST 2019",
"IP_ADDR": "127.0.0.1",
"EventReceivedTime": "2019-05-30T15:23:59.651649+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}90.2. Embedded Database
Logs can be collected from the SEPM embedded database by using the SAP SQL Anywhere Database Client with the im_odbc module. Configuring NXLog to access the logs directly is not possible due to limitations of the embedded database.
-
Download and install the SAP SQL Anywhere Database Client.
-
Configure NXLog to collect logs via ODBC with the im_odbc module. Specify SQL Anywhere as the ODBC Driver in the ConnectionString directive.
|
Tip
|
For more technical information about querying the embedded database, check How to query the SEPM embedded database on Symantec Support. |
|
Tip
|
If it becomes necessary to migrate the embedded database to an MSSQL database, consult Moving from the embedded database to Microsoft SQL Server on Symantec Support. |
This example uses the im_odbc module to connect to the Symantec Endpoint Protection Manager embedded database via ODBC with the SQL Anywhere driver. The first query below collects alerts and the second (commented) query collects audit events.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<Input in>
Module im_odbc
ConnectionString Driver=SQL Anywhere 17;ENG=Host; \
UID=user;PWD=password;DBN=sem5;LINKS=ShMem;
# Query for Virus Alerts
SQL SELECT DATEADD(ss, TIME_STAMP/1000, '1970-01-01 00:00:00') AS EventTime, \
IDX,Alert_IDX,Computer_IDX,Source,Virusname_IDX,FilePath,AlertDateTime, \
User_Name,Last_Log_Session_Guid FROM V_ALERTS
# Alternative query for the Audit log
#SQL SELECT DATEADD(ss, TIMESTAMP/1000, '1970-01-01 00:00:00') AS EventTime, \
# Method,Arguments,IP_ADDR FROM V_AUDIT_LOG
Exec $EventTime = strftime($EventTime, 'YYYY-MM-DDThh:mm:ss.sTZ');
</Input>
{
"EventTime": "2019-05-29T17:12:20.000000+02:00",
"IDX": "9B597DD0C0A8868C6DB24C4E332BA2EB",
"Alert_IDX": 1,
"Computer_IDX": "D93E2505C0A8868C4AB07113C78CD110",
"Source": "Real Time Scan",
"Virusname_IDX": "70CB3DDB77EE45CD4C5765A5EF4DAFD9",
"FilePath": "C:\\Windows\\SECOH-QAD.exe",
"AlertDateTime": "2019-05-29T17:09:54.000000+02:00",
"User_Name": "SYSTEM",
"Last_Log_Session_Guid": "20b4e2887f1c4ea89095e2c67b1ef047",
"EventReceivedTime": "2019-05-29T19:24:15.534487+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}{
"EventTime": "2019-05-29T09:44:23.000000+02:00",
"Method": "RequestHandler.handleRequest()",
"Arguments": "Windows user:(SEPMInternal) logging in as:admin/(SEPMInternal) succeeded! at Wed May 29 11:44:23 CEST 2019",
"IP_ADDR": "127.0.0.1",
"EventReceivedTime": "2019-05-29T18:54:51.279574+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_odbc"
}