Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Symantec Endpoint Protection

 

The JSA DSM for Symantec Endpoint Protection collects events from a Symantec Endpoint Protection system.

The following table describes the specifications for the Symantec Endpoint Protection DSM:

Table 1: Symantec Endpoint Protection DSM Specifications

Specification

Value

Manufacturer

Symantec

DSM name

Symantec Endpoint Protection

RPM file name

DSM-SymantecEndpointProtection-

JSA_version-build_number.noarch.rpm

Supported versions

Endpoint Protection V11, V12, and V14

Protocol

Syslog

Event format

Syslog

Recorded event types

All Audit and Security Logs

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

Symantec website (https://www.symantec.com)

To integrate Symantec Endpoint Protection with JSA , complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:

    • DSMCommon RPM

    • Symantec Endpoint Protection DSM RPM

  2. Configure your Symantec Endpoint Protection device to send syslog events to JSA.

  3. If JSA does not automatically detect the log source, add a Symantec Endpoint Protection log source on the JSA console. The following table describes the parameters that require specific values to collect events from Symantec Endpoint Protection:

    Table 2: Symantec Endpoint Protection Log Source Parameters

    Parameter

    Value

    Log Source type

    Symantec Endpoint Protection

    Protocol Configuration

    Syslog

    Log Source Identifier

    Type a unique identifier for the log source.

  4. Verify that JSA is configured correctly.

    The following table shows a sample normalized event message from Symantec Endpoint Protection:

    Table 3: Symantec Endpoint Protection Sample Message

    Event name

    Low level category

    Sample log message

    Blocked

    Access Denied

    <51>Mar 3 13:52:13 apsepm1 Syman tecServer: USER,1.1.1.1, Blocked,[AC13-1.5] Block from load ing other DLLs - Caller MD5=323c1f 1d9c24f9f7ffa6348594aaaaa,Load Dl l,Begin: 2017-03-03 13:48:18,End: 2 017-03-03 13:48:18,Rule: Corp Endpo int - Browser Restrictions | [AC13- 1.5] Block from loading other DLLs, 6804,C:/Program Files (x86)/Microso ft Office/Office14/WINPROJ.EXE,0,N o Module Name,C:/Users/USER /AppData/Local/assembly/dl3/DMD7K 4QX.8GW/WQ9LV1W4.8HL/e705c114/00 6fef9d_f364d101/ProjectPublisher 2010.DLL,User: USER,Domain : LAB,Action Type: ,File size ( bytes): 4216832,Device ID: SCSI\ Disk&Ven_ATA&Prod_SAMSUNG_SSD_ PM83\4&27c82505&0&000000

Configuring Symantec Endpoint Protection to Communicate with JSA

Before you can add the Symantec Endpoint Protection log source in JSA, you need to configure your Symantec Endpoint Protection device to forward syslog events.

  1. Log in to your Symantec Endpoint Protection Manager system.
  2. In the left pane, click the Admin icon.
  3. In the bottom of the View Servers pane, click Servers.
  4. In the View Servers pane, click Local Site.
  5. In the Tasks pane, click Configure External Logging.
  6. From the Generals tab, select the Enable Transmission of Logs to a Syslog Server check box.
  7. In the Syslog Server field, type the IP address of your JSA that you want to parse the logs.
  8. In the UDP Destination Port field, type 514.
  9. In the Log Facility field, type 6.
  10. In the Log Filter tab, under Management Server Logs, select the Audit Logs check box.
  11. In the Client Log pane, select the Security Logs check box.
  12. In the Client Log pane, select the Risks check box.
  13. Click OK.