Symantec Endpoint Protection
The JSA DSM for Symantec Endpoint Protection collects events from a Symantec Endpoint Protection system.
The JSA DSM for Symantec Endpoint Protection parses events from Symantec Endpoint Protection System in the following languages: English, French, German, Italian, Japanese, Russian, and Polish.
The following table describes the specifications for the Symantec Endpoint Protection DSM:
Specification |
Value |
---|---|
Manufacturer |
Symantec |
DSM name |
Symantec Endpoint Protection |
RPM file name |
DSM-SymantecEndpointProtection- JSA_version-build_number.noarch.rpm |
Supported versions |
Endpoint Protection V11, V12, and V14 |
Protocol |
Syslog |
Event format |
Syslog |
Recorded event types |
All Audit and Security Logs |
Automatically discovered? |
Yes |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
Symantec website (https://www.symantec.com) |
To integrate Symantec Endpoint Protection with JSA , complete the following steps:
-
If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSA console:
-
DSMCommon RPM
-
Symantec Endpoint Protection DSM RPM
-
-
Configure your Symantec Endpoint Protection device to send syslog events to JSA.
-
If JSA does not automatically detect the log source, add a Symantec Endpoint Protection log source on the JSA console.
-
Verify that JSA is configured correctly.
The following table shows a sample normalized event message from Symantec Endpoint Protection:
Table 2: Symantec Endpoint Protection Sample Message Event name
Low level category
Sample log message
Blocked
Access Denied
<51>Mar 3 13:52:13 apsepm1 Syman tecServer: USER,10.1.1.1, Blocked,[AC13-1.5] Block from load ing other DLLs - Caller MD5=323c1f 1d9c24f9f7ffa6348594aaaaa,Load Dl l,Begin: 2017-03-03 13:48:18,End: 2 017-03-03 13:48:18,Rule: Corp Endpo int - Browser Restrictions | [AC13- 1.5] Block from loading other DLLs, 6804,C:/Program Files (x86)/Microso ft Office/Office14/WINPROJ.EXE,0,N o Module Name,C:/Users/USER /AppData/Local/assembly/dl3/DMD7K 4QX.8GW/WQ9LV1W4.8HL/e705c114/00 6fef9d_f364d101/ProjectPublisher 2010.DLL,User: USER,Domain : LAB,Action Type: ,File size ( bytes): 4216832,Device ID: SCSI\ Disk&Ven_ATA&Prod_SAMSUNG_SSD_ PM83\4&27c82505&0&000000
Configuring Symantec Endpoint Protection to Communicate with JSA
Before you can add the Symantec Endpoint Protection log source in JSA, you need to configure your Symantec Endpoint Protection device to forward syslog events.
-
Log in to your Symantec Endpoint Protection Manager system.
-
In the left pane, click the Admin icon.
-
In the bottom of the View Servers pane, click Servers.
-
In the View Servers pane, click Local Site.
-
In the Tasks pane, click Configure External Logging.
-
From the Generals tab, select the Enable Transmission of Logs to a Syslog Server check box.
-
In the Syslog Server field, type the IP address of your JSA that you want to parse the logs.
-
In the UDP Destination Port field, type 514.
-
In the Log Facility field, type 6.
-
In the Log Filter tab, under Management Server Logs, select the Audit Logs check box.
-
In the Client Log pane, select the Security Logs check box.
-
In the Client Log pane, select the Risks check box.
-
Click OK.