Symantec Endpoint Protection
Symantec Endpoint Protection (SEP) utilizes the endpoints on your network to work together in protecting data.
Before You Begin
InsightIDR can ingest data from Symantec Endpoint Protection in two ways: syslog and Watch Directory.
Syslog
In the SEP Management Console, you must configure Symantec to send logs via syslog in the "External Logging settings" section. Read instructions on page 705 of the Administrator's Guide here: https://support.symantec.com/en_US/article.DOC8645.html
Watch Directory
In the SEP Management Console, you must configure Symantec to send logs to a folder in the "External Logging settings" section. When configuring Symantec for syslog delivery, check off Export Logs to a Dump File. This option will log data to a single log folder instead of sending the logs to syslog.

Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Symantec Endpoint Protection in the event sources search bar.
- In the Product Type filter, select Virus Scan.
- Select the Symantec Endpoint Protection event source tile.
- Select your collector and event source. You can name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Select an attribution source.
- Configure your default domain and any Advanced Event Source Settings.
- Select a collection method.
- Click Save.
Not seeing log data?
InsightIDR only parses an event from your Virus Scan event source when a virus is found.
Attribution source options
Symantec Endpoint Protection product logs can contain information about hosts and accounts. When setting up Symantec Endpoint Protection as an event source, you will have the ability to specify the following attribution options:
- Use IDR engine if possible; if not, use event log
By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.
- Use event log if possible; if not, use IDR engine
By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.
- Use IDR engine only
By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.
- Use event log only
By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.