endpoint.symantec

[ 1 Introduction ] [ 2 Tag structure ] [ 3 Configuration ] [ 4 Table structure ]

Check the reference vendor documentation here.

Introduction

The tags beginning with endpoint.symantec identify log events generated by any Symantec Endpoint product.

Tag structure

The full tag must have four levels. The first two are fixed as endpoint.symantec. The third level identifies the technology type and the fourth element is required and fixed depending upon the log type.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Symantec Endpoint Protection Manager	`endpoint.symantec.sepm.agent_activity`	`endpoint.symantec.sepm.agent_activity`
	`endpoint.symantec.sepm.agent_behavior`	`endpoint.symantec.sepm.agent_behavior`
	`endpoint.symantec.sepm.agent_risk`	`endpoint.symantec.sepm.agent_risk`
	`endpoint.symantec.sepm.agent_scan`	`endpoint.symantec.sepm.agent_scan`
	`endpoint.symantec.sepm.agent_security`	`endpoint.symantec.sepm.agent_security`
	`endpoint.symantec.sepm.agent_system`	`endpoint.symantec.sepm.agent_system`
	`endpoint.symantec.sepm.agent_traffic`	`endpoint.symantec.sepm.agent_traffic`
	`endpoint.symantec.sepm.others`	`endpoint.symantec.sepm.others`

Once Symantec Endpoint Protection Manager events are delivered to Devo, they will be accessible from the finder in tables with the same names.

For more information, read more about Devo tags.

Configuration

All Symantec Endpoint Protection Manager events should be sent to a Devo Relay for tagging and forwarding to Devo. The events can be directed to a single port; you will set up a series of rules to identify the event types and apply the correct Devo tag to each type.

Rule 1 - Agent Activity events

Source port → Required one
Source data → ^SymantecServer: Site:
Target Tag → endpoint.symantec.sepm.agent_activity
Select both Stop processing and Sent without syslog tag

Rule 2 - Agent Behavior events

Source port → Required one
Source data → ^SymantecServer: (.*),Device ID:(.*)$
Target tag → endpoint.symantec.sepm.agent_behavior
Select both Stop processing and Sent without syslog tag

Rule 3 - Agent Risk events

Source port → Required one
Source data → ^SymantecServer: ([^,]*),IP Address:
Target tag → endpoint.symantec.sepm.agent_risk
Select both Stop processing and Sent without syslog tag

Rule 4 - Agent Scan events

Source port → Required one
Source data → ^SymantecServer: Scan ID:
Target tag → endpoint.symantec.sepm.agent_scan
Select both Stop processing and Sent without syslog tag

Rule 5 - Agent Security events

Source port → Required one
Source data → ^SymantecServer: (([^,]*),)*SHA-256:
Target tag → endpoint.symantec.sepm.agent_security
Select both Stop processing and Sent without syslog tag

Rule 6 - Agent System events

Source port → Required one
Source data → ^SymantecServer: ([^,]*),Category:
Target Tag → endpoint.symantec.sepm.agent_system
Select both Stop Processing and Sent without syslog tag

Rule 8 - Other events

Source port → Required one
Target tag → endpoint.symantec.sepm.others
Select both Stop Processing and Sent without syslog tag

Table structure

These are the fields displayed in this table: