Symantec Endpoint Protection

Overview

Symantec Endpoint Protection utilizes the endpoints on your network to work together in protecting data.

Before You Begin

Typically, Symantec logs are delivered via syslog. To learn how to do this, please see page 705 of the Administrator's Guide, which you can find here.

Another easy configuration option is to use Watch Directory. When configuring Symantec for syslog delivery, make sure that you check off Export Logs to a Dump File. This option logs anything that would normally be sent via syslog to a single log folder, which can be read using the Watch Directory Collection Method for this event source.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the Virus Scan icon from the Security section.
  4. Select your collector, and optionally name your event source.
  5. From the list of event source options, choose Symantec Endpoint Protection.
  6. Choose a timezone, or optionally display only US timezones.
  7. Optionally choose to send unfiltered logs.
  8. Configure any Advanced Event Source settings.
  9. Select your collection method:
    • Listen for Syslog: specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP.
    • Log Aggregator: specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP.
    • Watch Directory: The network location of a Dump File (configurable in the External Logging settings in the SEP management console), where log files are copied. Enter the file path, scan interval, and if the directory contains other files, enter a file pattern to specify which files should be collected from the directory.
    • Tail File: InsightOps will watch a log file and ingest any new data that is added to it.
  10. If you are choosing to encrypt TCP, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and Symantec to "trust" each other during log forwarding.

Advanced Event Source Settings

Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.

For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is company.com, your fallback domain could be company.ca, which would allow InsightOps to more accurately attribute data to the correct user.