Symantec Endpoint Protection

Symantec Endpoint Protection (SEP) utilizes the endpoints on your network to work together in protecting data.

Before You Begin

InsightIDR can ingest data from Symantec Endpoint Protection in two ways: syslog and Watch Directory.


In the SEP Management Console, you must configure Symantec to send logs through syslog in the "External Logging settings" section. Read instructions on page 705 of the Administrator's Guide here:

Watch Directory

In the SEP Management Console, you must configure Symantec to send logs to a folder in the "External Logging settings" section. When configuring Symantec for syslog delivery, check off Export Logs to a Dump File. This option will log data to a single log folder instead of sending the logs to syslog.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Symantec Endpoint Protection in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the Symantec Endpoint Protection event source tile.
  4. Select your collector and event source. You can name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Select an attribution source.
  8. Configure your default domain and any Advanced Event Source Settings.
  9. Select a collection method.
  10. Click Save.

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.