LogLogic Symantec Endpoint Protection Log Configuration Guide

Transcription

1 LogLogic Symantec Endpoint Protection Log Configuration Guide Document Release: September 2011 Part Number: LL ELS This manual supports LogLogic Symantec Endpoint Protection Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2 2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring LogLogic s Symantec Endpoint Protection Introduction to Symantec Endpoint Protection Prerequisites Configuring Symantec Endpoint Protection Adding a Symantec Endpoint Protection Device Verifying the Configuration Chapter 2 How LogLogic Supports Symantec Endpoint Protection How LogLogic Captures Symantec Endpoint Protection Data LogLogic Real-Time Reports Appendix A Event Reference LogLogic Support for Symantec Endpoint Protection Events Symantec Endpoint Protection Log Configuration Guide 3

4 4 Symantec Endpoint Protection Log Configuration Guide

5 Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Symantec Endpoint Protection enables LogLogic Appliances to capture logs from machines running Symantec Endpoint Protection. Once the logs are captured and parsed, you can generate reports and create alerts on Symantec Endpoint Protection s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) [email protected] You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to [email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Symantec Endpoint Protection Log Configuration Guide 3

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 4 Symantec Endpoint Protection Log Configuration Guide

7 Chapter 1 Configuring LogLogic s Symantec Endpoint Protection This chapter describes the configuration steps involved to enable a LogLogic Appliance to capture Symantec Endpoint Protection logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Symantec Endpoint Protection log data. Introduction to Symantec Endpoint Protection Prerequisites Configuring Symantec Endpoint Protection Adding a Symantec Endpoint Protection Device Verifying the Configuration Introduction to Symantec Endpoint Protection The LogLogic Appliance support for the Symantec s Antivirus and IDS/IPS events is now available. The Symantec s security policy will consist of specific rules enabled with logging used to capture and send to the LogLogic Appliance. These events will be auto-identified, if enabled, and parsed into the LogLogic report tables for later review. Prerequisites Prior to configuring Symantec Endpoint Protection and the LogLogic Appliance, ensure that you meet the following prerequisites: Symantec Endpoint Protection 11.0 Proper access permissions to make configuration changes. Administrative user on Symantec Endpoint Protection Server. LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Symantec Endpoint Protection support. Administrative access on the LogLogic Appliance. Configuring Symantec Endpoint Protection You must enable and configure Syslog on Symantec Endpoint Protection prior to configuring the LogLogic Appliance. Note: This document does not describe all features and functionality within Symantec Endpoint Protection regarding configuration and Syslog. For more information on these areas, see Symantec Endpoint Protection Product Documentation. Note: You may elect to briefly store the latest portion of the logs using the Symantec s memory; however the Symantec may not have the capacity to retain a all of the log data. Symantec Endpoint Protection Log Configuration Guide 7

8 To specify events log settings: 1. In the admin console, choose Admin > Server > highlight [name] Site 2. Click Configure External Logging Figure 1 Symantec Endpoint Protection Manager 3. Click Enable Transmission of Logs to a Syslog Server 4. Enter LogLogic Appliance information 8 Symantec Endpoint Protection Log Configuration Guide

9 Figure 2 External Logging for a Local Site 5. Click Log Filter tab; check which log types you want to send to the Loglogic Appliance. See appendix for parsed log types. Adding a Symantec Endpoint Protection Device If you do not want to utilize the auto-identification feature, you can manually add a Symantec Endpoint Protection device to the LogLogic Appliance before you redirect the logs. To add Symantec Endpoint Protection as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > Manage Devices. The Device tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Symantec Endpoint Protection device Description (optional) Description of the Symantec Endpoint Protection device Device Type Select Symantec Endpoint Protection from the drop-down menu Host IP IP address of the Symantec Endpoint Protection appliance Enable Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. 5. Click Add. Symantec Endpoint Protection Log Configuration Guide 9

10 6. Verify that your new device appears in the Devices tab and that Enable is set to Yes. When the logs arrive from the specified Symantec Endpoint Protection appliance, the LogLogic Appliance uses the device you just added if the hostname or IP match. Verifying the Configuration To verify the Configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. 3. Locate the IP address for each Symantec Endpoint Protection device. If the device name (Symantec Endpoint Protection) appears in the list of devices, then the configuration is correct (see Figure 1). Figure 3 Verification of the Symantec Endpoint Protection Configuration If the device does not appear in the Log Source Status tab, check the Symantec Endpoint Protection logs to identify if any events are being generated. If events were detected, but are still not appearing on the LogLogic Appliance, please verify the Symantec Endpoint Protection configuration and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Symantec Endpoint Protection by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page Symantec Endpoint Protection Log Configuration Guide

11 Chapter 2 How LogLogic Supports Symantec Endpoint Protection This chapter describes LogLogic s support for Symantec Endpoint Protection. LogLogic enables you to capture Symantec Endpoint Protection log data to monitor events. LogLogic supports Symantec Endpoint Protection logs. How LogLogic Captures Symantec Endpoint Protection Data LogLogic Real-Time Reports How LogLogic Captures Symantec Endpoint Protection Data Symantec Endpoint Protection streams events via Syslog to the LogLogic Appliance. Figure 4 Symantec Endpoint Protection with LogLogic Appliance as the Syslog Server Once the data is captured and parsed, you can generate reports and create alerts. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Table 1 on page 14 lists the Symantec Endpoint Protection Syslog messages that are supported by the LogLogic Appliance. Note: The LogLogic Appliance captures all messages from the Symantec Endpoint Protection logs, but includes only specific messages for report/alert generation. For more information, see Appendix A Event Reference on page 13 for sample log messages for each event and event to category mapping. Symantec Endpoint Protection Log Configuration Guide 11

12 LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Symantec Endpoint Protection log data. To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Select Access Control The following Real-Time Reports are available: User Access Reports details on administrator activity in the Symantec Endpoint Protection Management console. User Authentication Reports Login events to the Symantec Endpoint Protection Management console. User Create/Deleted Reports Administrator activity on user adding and removing. User Last Activity Displays the last activity for the logged in user to the management console. 3. Click Threat Management. The following Real-Time Reports are available: Threat Activity Displays Antivirus and Antispam events detected by the endpoint clients. Configuration Activity Displays Location changes and policy updates on the endpoint clients Scan Activity Reports scan results on the endpoint clients HIPS Activity Displays alerts from IPS/IDS signatures, DDOS attacks, and port scan occurrences. You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. 12 Symantec Endpoint Protection Log Configuration Guide

13 Appendix A Event Reference This appendix lists the LogLogic-supported Symantec Endpoint Protection events. The LogLogic Symantec Endpoint Protection event table identifies events which can be analyzed through the LogLogic Agile Reports, as well as a sample log message. LogLogic Support for Symantec Endpoint Protection Events The following list describes the contents of each of the columns in the table below. Agile Reports/Search Defines if the Symantec Endpoint Protection event is available through the LogLogic Agile Reporting engine or through the search capabilities. If the event is available through the Agile Report engine, then you can use LogLogic s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Event Category The category of the event can be either Operational or Audit Event Type Type of events, AntiVirus, IDS and User Access Reports Appears In LogLogic-provided reports that the event appears in Sample Log Message Sample Symantec Endpoint Protection log messages Symantec Endpoint Protection Log Configuration Guide 13

14 # Agile Reports/ Search Table 1 Event Category Symantec Endpoint Protection Events Event Type Reports Appears In Sample Log Message 1 Agile Antivirus Virus Definition 2 Agile Antivirus Auto Protect Configuration Activity Threat Activity <54>Aug 6 20:56:30 SymantecServer loglabs-sep11a: mailclientxp,category: 2,Symantec AntiVirus,New virus definition file loaded. Version: ak. <54>Aug 26 15:28:07 SymantecServer loglabs-sep11a: mailclientxp,category: 2,Symantec AntiVirus,Symantec Endpoint Protection Microsoft Exchange Auto-Protect Disabled 3 Agile Antivirus Scan Started Scan Activity <54>Aug 11 01:47:44 SymantecServer loglabs-sep11a: Scan ID: ,Begin: :45:50,End: ,Started,Duration (seconds): 0,User1: SYSTEM,User2:,"Scan started on selected drives and folders and all extensions.",,command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: mailclientxp,ip Address: ,Domain: Default,Group: My Company\Default Group,Server: loglabs-sep11a 4 Agile Antivirus Scan Completed 5 Agile Antivirus Scan Cancelled Scan Activity Scan Activity <54>Aug 11 01:47:44 SymantecServer loglabs-sep11a: Scan ID: ,Begin: :45:50,End: ,Started,Duration (seconds): 0,User1: SYSTEM,User2:,"Scan started on selected drives and folders and all extensions.",,command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: mailclientxp,ip Address: ,Domain: Default,Group: My Company\Default Group,Server: loglabs-sep11a :13:14,Scan ID: ,Begin: :08:40,End: ,Cancelled,Duration (seconds): 13,User1: adam,user2: adam,"scan started on all drives and all extensions.","scan Canceled: Risks: 0 Scanned: 5 Files/Folders/Drives Omitted: 0",Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 5,Omitted: 0,Computer: mailclientxp,ip Address: ,Domain: Default,Group: My Company\Default Group,Server: loglabs-sep11a 6 Agile Antivirus Scan Warning Scan Activity <54>Aug 10 12:44:55 SymantecServer loglabs-sep11a: mailclientxp,category: 2,Symantec AntiVirus,Could not scan 1 files inside c:\windows\temp\000013c0\guestsdk.cab due to extraction errors encountered by the Decomposer Engines. 7 Agile Antivirus Virus Definition 8 Agile Antivirus Auto Protect Disabled Configuration Activity Threat Activity <54>Aug 6 20:56:30 SymantecServer loglabs-sep11a: mailclientxp,category: 2,Symantec AntiVirus,New virus definition file loaded. Version: ak. <54>Aug 26 15:28:07 SymantecServer loglabs-sep11a: mailclientxp,category: 2,Symantec AntiVirus,Symantec Endpoint Protection Microsoft Exchange Auto-Protect Disabled 14 Symantec Endpoint Protection Log Configuration Guide

15 # Agile Reports/ Search Event Category Event Type Reports Appears In Sample Log Message 9 Agile AntiVirus Alert Message Virus Found Threat Activity "<54>Aug 10 12:45:13 SymantecServer loglabs-sep11a: Virus found,computer name: mailclientxp,source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:\Documents and Settings\adam\Desktop\New Text Document.txt,"""",Actual action: Cleaned by deletion,requested action: Cleaned,Secondary action: Quarantined,Event time: :51:34,Inserted: :45:13,End: :51:34,Domain: Default,Group: My Company\Default Group,Server: loglabs-sep11a,user: adam,source computer:,source IP: Agile AntiVirus Alert Message Security Risk Found Threat Activity The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Cisco Product Documentation. 11 Agile AntiVirus Alert Message Commercial Application Detected Threat Activity "<54>Aug 10 18:47:21 SymantecServer loglabs-sep11a: Security risk found,computer name: mailclientxp,source: Real Time Scan,Risk name: Spyware.ActualSpy,Occurrences: 1,C:\Documents and Settings\adam\Local Settings\Temporary Internet Files\Content.IE5\CNJAED34\actualspy[1].exe,"""",Actual action: Access denied,requested action: Quarantined,Secondary action: Deleted,Event time: :45:33,Inserted: :47:21,End: :44:53,Domain: Default,Group: My Company\Default Group,Server: loglabs-sep11a,user: adam,source computer:,source IP: Agile AntiVirus Alert Message Forced Proactive Threat Detection Threat Activity The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Cisco Product Documentation. 13 Agile AntiVirus Alert Message Proactive Detection Now Permitted Threat Activity <54>Jul 31 17:12:37 SymantecServer v11afvm107: Commercial application detected,computer name: C-afong-L,Detection type: Commercial,Application name: VNC Server 4.0,Application type: Remote Control,Application version: 4.0,Hash type: SHA-1,Application hash: 48440b9f1a49cd970b048c9213ccb499deb6342f,Company name: RealVNC Ltd.,File size (bytes): ,Sensitivity: 0,Detection score: 1,Submission recommendation: 0,Permitted application reason: 0,Source: Heuristic Scan,Risk name:,occurrences: 1,WinVNC4,"WinVNC4",Actual action: Left alone,requested action: Left alone,secondary action: Commercial application detection,event time: :37:30,Inserted: :12:37,End: :37:28,Domain: companya,group: My Company\Production Workstations,Server: VMSEP107,User: Adam_Joe,Source computer:,source IP: Symantec Endpoint Protection Log Configuration Guide 15

16 # Agile Reports/ Search Event Category Event Type Reports Appears In Sample Log Message 14 Agile AntiVirus Alert Message Potential Risk Found Threat Activity The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Cisco Product Documentation. 15 Agile AntiVirus Alert Message Risk Sample was Submitted to Symantec Threat Activity The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Cisco Product Documentation. 16 Agile Console Login User Access, User last Activity, User Authentication 17 Agile Console Logout User Access, User last Activity, 18 Agile Console Deleted User Access, User last Activity, 19 Agile Console Disabled User Access, User last Activity, 20 Agile Console Created User Access, User last Activity, User Created/ Deleted 21 Agile Console Added User Access, User last Activity 22 Agile Console Added User Access, User last Activity, User Created/ Deleted 23 Agile Console Deleted User Access, User last Activity 24 Agile Console Created User Access, User last Activity 25 Agile Console Changed User Access, User last Activity 26 Agile Console Exported User Access, User last Activity <54>Aug 6 16:29:59 SymantecServer loglabs-sep11a: Default,Admin: admin,administrator log on succeeded " <54>Aug 11 17:58:34 SymantecServer loglabs-sep11a: Default,Admin: admin,administrator logout <54>Jun 30 16:53:48 SymantecServer loglabs-sep11a: Default,Admin: admin,domain "tester" was deleted! <54>Jun 30 16:53:24 SymantecServer loglabs-sep11a: Default,Admin: admin,domain "tester" was disabled <54>Jun 30 16:53:03 SymantecServer loglabs-sep11a: Default,Admin: admin,user has been created <54>Jun 30 16:52:20 SymantecServer loglabs-sep11a: Default,Admin: admin,domain "tester" was added <54>Jun 30 16:49:35 SymantecServer loglabs-sep11a: Default,Admin: admin,domain administrator "chris" was added <54>Jun 30 16:49:10 SymantecServer loglabs-sep11a: Default,Admin: admin,group has been deleted <54>Jun 30 16:48:52 SymantecServer loglabs-sep11a: Default,Admin: admin,group has been created <54>Jun 30 16:47:37 SymantecServer loglabs-sep11a: Default,Admin: admin,the password of System administrator "admin" has been changed. <54>Aug 17 18:34:54 SymantecServer loglabs-sep11a: Default,Admin: admin,package has been exported 16 Symantec Endpoint Protection Log Configuration Guide

17 # Agile Reports/ Search Event Category Event Type Reports Appears In Sample Log Message 27 Agile Console Moved User Access, User last Activity, User Created/ Deleted 28 Agile Console Deleted User Access, User last Activity <54>Aug 27 14:43:37 SymantecServer loglabs-sep11a: Default,Admin: admin,computer has been moved <54>Aug 26 16:17:54 SymantecServer loglabs-sep11a: Default,Admin: admin,computer has been deleted 29 Agile Intrusion Prevention 30 Agile Intrusion Prevention 31 Agile Intrusion Prevention IDS HIPS Activity <54>Aug 25 15:51:21 SymantecServer loglabs-sep11a: mailclientxp,[sid: 23180] MSRPC Server Service Buffer Overflow 2 detected. Traffic has been blocked from this application: C:\Program Files\Tenable\Nessus\nessusd.exe,Local: ,Local: 000C294EC76E,Remote:,Remote: ,Remote: ,Outbound,TCP,Intrusion ID: 0,Begin: :25:43,End: :25:43,Occurrences: 1,Application: C:/Program Files/ Tenable/Nessus/nessusd.exe,Location: Default,User: adam,domain: MAILCLIENTXP DDOS HIPS Activity <54>Jun 30 16:46:44 SymantecServer loglabs-sep11a: AdamFongDesktop,Denial of Service "UDP Flood Attack" attack detected. Description: An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.,local: ,Local: 00FFB06B9509,Remote:,Remote: ,Remote: 00FFB16B9509,Inbound,UDP,,Begin: :41:00,End: :41:00,Occurrences: 1,Application:,Location: Default,User: AFong,Domain: LOGLOGIC Port Scan HIPS Activity <54>Jun 30 16:46:44 SymantecServer loglabs-sep11a: AdamFongDesktop,Port Scan. Description: An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.,local: ,Local: 00FFB06B9509,Remote:,Remote: ,Remote: 00FFB16B9509,Inbound,UDP,,Begin: :41:00,End: :41:00,Occurrences: 1,Application:,Location: Default,User: AFong,Domain: LOGLOGIC 32 Agile Policy Edited User Access, User last Activity 33 Agile Policy Added User Access, User last Activity 34 Agile Policy Removed User Access, User last Activity <54>Aug 26 16:17:37 SymantecServer loglabs-sep11a: Default,Admin: admin,policy has been edited,antivirus and Antispyware policy - High Security <54>Aug 26 16:17:37 SymantecServer loglabs-sep11a: Default,Admin: admin,policy has been added,client Policy <54>Aug 26 16:17:37 SymantecServer loglabs-sep11a: Default,Admin: admin,policy has been deleted,copy of New firewall policy Symantec Endpoint Protection Log Configuration Guide 17

18 # Agile Reports/ Search Event Category Event Type Reports Appears In Sample Log Message 35 Agile Policy Applied Configuration Activity <54>Aug 26 15:28:07 SymantecServer loglabs-sep11a: mailclientxp,category: 0,Smc,Applied new policy with serial number 002D-08/25/ :30: successfully. 36 Agile Service Shutdown Threat Activity <54>Aug 6 17:09:24 SymantecServer loglabs-sep11a: mailclientxp,category: 2,Symantec AntiVirus,Symantec Endpoint Protection services shutdown was successful. 37 Agile Service Disabled Threat Activity <54>Aug 25 15:51:20 SymantecServer loglabs-sep11a: mailclientxp,category: 2,Symantec AntiVirus,Symantec Endpoint Protection Auto-Protect Disabled. 38 Agile Service Change Threat Activity <54>Aug 27 14:52:27 SymantecServer loglabs-sep11a: afong2,category: 0,Smc,User is attempting to terminate Symantec Management Client Agile Systrem Change Configuration Activity <54>Aug 25 15:51:20 SymantecServer loglabs-sep11a: mailclientxp,category: 0,Smc,Location has been changed to Default. 18 Symantec Endpoint Protection Log Configuration Guide