NOTE: If you have questions about Syslog Redirect and how this protocol works, you can discuss this protocol in our forums.
The event pipeline receives the data with the new header and is able to properly parsed by the QRadar appliance. This protocol works by using a regular expression to generate a new Syslog header, so you have. The Syslog Redirect Protocol allows the Syslog header from the event payload to be substituted with another header to ensure that an IP or hostname can be used to parse the event properly. If you cannot update to Symantec Endpoint Protection 12.1.6 MP4Īn alternate option for administrators is to use the Syslog Redirect Protocol and send Symantec Endpoint Protection Syslog events to port 517 on the QRadar system. This issue was corrected by Symantec in a bugfix in SEP 12.1.6 MP4. Note: In the Example above that SymanterServer is in the place of the host name, instead of the actual server name ServerAĪdministrators with Symantec Endpoint Protection appliances should review the fix provided by Symantec.
Jun 2 09:37:57 SymantecServer ServerA: Virus found,Computer name:ServerA,Source: Real Time Scan,Risk name: CAR Test String,Occurrences:1,D:/ffirectoryA/DirectoryB,"",Actual action: Cleaned by deletion,Requested action:Cleaned,Secondary action: Quarantined,Event time: 14:22:10,Inserted: 14:32:57,End: 14:32:10,Domain: Default,Group: My Group\WAN\Offline Servers,Server:ServerA,User: exampleuser1,Source computer: ,Source IP: 0.0.0.0 This information in most RFC Syslog payloads is normally reserved for the host name or IP Address of the appliance that generated the event, not a generic value. This issue is due to how Symantec generates Syslog headers as the header always contains an application name of SymantecServer. This issue has been resolved by Symantec in software version 12.1.6.MP4.įor Symantec appliances on older firmware:
The Symantec Endpoint Protection Server is out of date.
0 kommentar(er)
