Versions Compared

Version Old Version 13 New Version 14
Changes made by

Juan Tomás Alonso Nieto

Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

...

The full tag must have four levels. The first two are fixed as endpoint.symantec. The third level identifies the technology type and the fourth element is required and fixed depending upon the log type.

These are the valid tags and corresponding data tables that will receive the parsers' data:

...

All Symantec Endpoint Protection Manager events should be sent to a Devo Relay for tagging and forwarding to Devo. The events can be directed to a single port; you will set up a series of rules to identify the event types and apply the correct Devo tag to each type.

The example rules below are based on port 13075 on the relay but you can use any free port you choose.

...

Rule 1 - Agent Activity events

  • Source port → Required one

  • Source data → ^SymantecServer: Site:

  • Target Tag → endpoint.symantec.sepm.agent_activity

  • Select both Stop processing and Sent without syslog tag

Rule 2 - Agent Behavior events

  • Source Port → 13075port → Required one

  • Source Datadata  ^SymantecServer ^SymantecServer: (.*),Device ID:(.*)$

  • Target Tag tag  endpoint endpoint.symantec.sepm.agent_behavior

  • Select both Stop Processingprocessing and Sent without syslog tag

Rule

...

3 - Agent Risk events

  • Source Port → 13075port → Required one

  • Source Datadata  ^SymantecServer ^SymantecServer: ([^,]*),IP Address:

  • Target Tag tag  endpoint endpoint.symantec.sepm.agent_risk

  • Select both Stop Processingprocessing and Sent without syslog tag

Rule

...

4 - Agent Scan events

  • Source Port → 13075port → Required one

  • Source Datadata  ^SymantecServer ^SymantecServer: Scan ID:

  • Target Tag tag  endpoint endpoint.symantec.sepm.agent_scan

  • Select both Stop Processingprocessing and Sent without syslog tag

Rule

...

5 - Agent Security events

  • Source Port → 13075port → Required one

  • Source Datadata  ^SymantecServer: (([^,]*),)*SHA-256:

  • Target Tag tag  endpoint endpoint.symantec.sepm.agent_security

  • Select both Stop Processingprocessing and Sent without syslog tag

Rule

...

6 - Agent System events

  • Source Port → 13075port → Required one

  • Source Datadata  ^SymantecServer ^SymantecServer: ([^,]*),Category:

  • Target Tag  endpoint endpoint.symantec.sepm.agent_system

  • Select both Stop Processing and Sent without syslog tag

Rule

...

8 - Other events

  • Source Port → 13075port → Required one

  • Target Tag tag  endpoint endpoint.symantec.sepm.others

  • Select both Stop Processing and Sent without syslog tag

...