Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) utilizes the endpoints on your network to work together in protecting data.

Before You Begin

InsightIDR can ingest data from Symantec Endpoint Protection in two ways: syslog and Watch Directory.


In the SEP Management Console, you must configure Symantec to send logs via syslog in the "External Logging settings" section. Read instructions on page 705 of the Administrator's Guide here:

Watch Directory

In the SEP Management Console, you must configure Symantec to send logs to a folder in the "External Logging settings" section. When configuring Symantec for syslog delivery, check off Export Logs to a Dump File. This option will log data to a single log folder instead of sending the logs to syslog.

How to Configure This Event Source

  1. From your dashboard, select** Data Collection** on the left hand menu.
  2. At the top right of the page, select the dropdown that says "Setup Event Source" and then choose Add Event Source.
  3. From the "Security Data" section, select the Virus Scan icon. The "Add Event Source" panel appears.
  4. Select your collector and event source. You can name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Configure your default domain and any Advanced Event Source Settings.
  8. Select a collection method.
  9. Click Save.

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.