LogLogic Symantec Endpoint Protection Log Configuration Guide

(1)

LogLogic Symantec Endpoint Protection 

Log Configuration Guide

Document Release: September 2011 Part Number: LL60005-00ELS100001

(2)

Proprietary Information

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors.  In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.

(3)

Symantec Endpoint Protection Log Configuration Guide 3

The LogLogic® Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Symantec Endpoint Protection™ enables LogLogic Appliances to capture logs from machines running Symantec Endpoint Protection. Once the logs are captured and parsed, you can generate reports and create alerts on Symantec Endpoint Protection’s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help.

Technical Support

LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable,

experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support:

Telephone: Toll Free—1-800-957-LOGS Local—1-408-834-7480

EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: [email protected]

You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support.  When contacting Customer Support, be prepared to provide:

Your name, email address, phone number, and fax number Your company name and company address

Your machine type and release version

A description of the problem and the content of pertinent error messages (if any)

Documentation Support

Your feedback on LogLogic documentation is important to us. Send e-mail to

[email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.

(6)

4 Symantec Endpoint Protection Log Configuration Guide

Conventions

LogLogic documentation uses the following conventions to highlight code and command-line elements:

A monospace font is used for programming elements (such as code fragments, objects,

methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs).

A monospace bold font is used to distinguish system prompts or screen output from

user responses, as in this example: username: system

home directory: home\app

A monospace italic font is used for placeholders, which are general names that you

replace with names specific to your site, as in this example:  LogLogic_home_directory\upgrade\

Straight brackets signal options in command-line syntax. For example:

(7)

Chapter 1 – Configuring LogLogic’s Symantec

Endpoint Protection

This chapter describes the configuration steps involved to enable a LogLogic Appliance to capture Symantec Endpoint Protection logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Symantec Endpoint Protection log data.

Introduction to Symantec Endpoint Protection . . . 7

Prerequisites . . . 7

Configuring Symantec Endpoint Protection . . . 7

Adding a Symantec Endpoint Protection Device . . . 9

Verifying the Configuration . . . 10

Introduction to Symantec Endpoint Protection

The LogLogic Appliance support for the Symantec’s Antivirus and IDS/IPS events is now available. The Symantec’s security policy will consist of specific rules enabled with logging used to capture and send to the LogLogic Appliance. These events will be auto-identified, if enabled, and parsed into the LogLogic report tables for later review.

Prerequisites

Prior to configuring Symantec Endpoint Protection and the LogLogic Appliance, ensure that you meet the following prerequisites:

Symantec Endpoint Protection 11.0

Proper access permissions to make configuration changes. Administrative user on Symantec Endpoint Protection Server.

LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that

includes Symantec Endpoint Protection support.

Administrative access on the LogLogic Appliance.

Configuring Symantec Endpoint Protection

You must enable and configure Syslog on Symantec Endpoint Protection prior to configuring the LogLogic Appliance.

Note: This document does not describe all features and functionality within Symantec Endpoint Protection regarding configuration and Syslog. For more information on these areas, see Symantec Endpoint Protection Product Documentation.

(8)

To specify events log settings:

1. In the admin console, choose Admin > Server > highlight [name] Site 2. Click Configure External Logging

Figure 1 Symantec Endpoint Protection Manager

(9)

Figure 2 External Logging for a Local Site

5. Click Log Filter tab; check which log types you want to send to the Loglogic Appliance. See appendix for parsed log types.

Adding a Symantec Endpoint Protection Device

If you do not want to utilize the auto-identification feature, you can manually add a Symantec Endpoint Protection device to the LogLogic Appliance before you redirect the logs.

To add Symantec Endpoint Protection as a new device: 1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Administration > Manage Devices. The Device tab appears.

3. Click Add New.

The Add Device tab appears.

4. Type in the following information for the device:

 Name—Name for the Symantec Endpoint Protection device

 Description (optional)—Description of the Symantec Endpoint Protection device  Device Type—Select Symantec Endpoint Protection from the drop-down menu  Host IP—IP address of the Symantec Endpoint Protection appliance

 Enable—Select the Yes radio button

 Refresh Device Name through DNS Lookups (optional)—Select this checkbox to

enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign.

(10)

6. Verify that your new device appears in the Devices tab and that Enable is set to Yes. When the logs arrive from the specified Symantec Endpoint Protection appliance, the LogLogic Appliance uses the device you just added if the hostname or IP match.

Verifying the Configuration

To verify the Configuration:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Dashboards > Log Source Status.

3. Locate the IP address for each Symantec Endpoint Protection device. If the device name (Symantec Endpoint Protection) appears in the list of devices, then the configuration is correct (see Figure 1).

Figure 3 Verification of the Symantec Endpoint Protection Configuration

If the device does not appear in the Log Source Status tab, check the Symantec Endpoint

Protection logs to identify if any events are being generated. If events were detected, but are still not appearing on the LogLogic Appliance, please verify the Symantec Endpoint Protection configuration and the LogLogic Appliance configuration.

You can also verify that the LogLogic Appliance is properly capturing log data from Symantec Endpoint Protection by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more

(11)

Chapter 2 – How LogLogic Supports Symantec

Endpoint Protection

This chapter describes LogLogic’s support for Symantec Endpoint Protection. LogLogic enables you to capture Symantec Endpoint Protection log data to monitor events. LogLogic supports Symantec Endpoint Protection logs.

How LogLogic Captures Symantec Endpoint Protection Data . . . 11 LogLogic Real-Time Reports . . . 12

How LogLogic Captures Symantec Endpoint Protection Data

Symantec Endpoint Protection streams events via Syslog to the LogLogic Appliance.

Figure 4 Symantec Endpoint Protection with LogLogic Appliance as the Syslog Server

Once the data is captured and parsed, you can generate reports and create alerts. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Table 1 on page 14 lists the Symantec Endpoint Protection Syslog messages that are supported by the LogLogic Appliance.

(12)

LogLogic Real-Time Reports

LogLogic provides pre-configured Real-Time Reports for Symantec Endpoint Protection log data.

To access LMI 5 Real-Time Reports:

1. In the top navigation pane, click Reports. 2. Select Access Control

The following Real-Time Reports are available:

 User Access—Reports details on administrator activity in the Symantec Endpoint

Protection Management console.

 User Authentication—Reports Login events to the Symantec Endpoint Protection

Management console.

 User Create/Deleted—Reports Administrator activity on user adding and

removing.

 User Last Activity—Displays the last activity for the logged in user to the

management console. 3. Click Threat Management.

The following Real-Time Reports are available:

 Threat Activity—Displays Antivirus and Antispam events detected by the endpoint

clients.

 Configuration Activity—Displays Location changes and policy updates on the

endpoint clients

 Scan Activity—Reports scan results on the endpoint clients

 HIPS Activity—Displays alerts from IPS/IDS signatures, DDOS attacks, and port

scan occurrences.

(13)

Appendix A – Event Reference

This appendix lists the LogLogic-supported Symantec Endpoint Protection events. The LogLogic Symantec Endpoint Protection event table identifies events which can be analyzed through the LogLogic Agile Reports, as well as a sample log message.

LogLogic Support for Symantec Endpoint Protection Events

The following list describes the contents of each of the columns in the table below.

Agile Reports/Search—Defines if the Symantec Endpoint Protection event is available

through the LogLogic Agile Reporting engine or through the search capabilities. If the event is available through the Agile Report engine, then you can use LogLogic’s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.

Event Category—The category of the event can be either Operational or Audit Event Type—Type of events, AntiVirus, IDS and User Access

(14)

Table 1 Symantec Endpoint Protection Events

#

Agile Reports/ Search

Event Category

Event Type Reports Appears In Sample Log Message

1 Agile Antivirus Virus Definition

Configuration Activity <54>Aug 6 20:56:30 SymantecServer loglabs-SEP11a: mailclientxp,Category: 2,Symantec AntiVirus,New virus definition file loaded. Version: 120806ak.

2 Agile Antivirus Email Auto Protect

Threat Activity <54>Aug 26 15:28:07 SymantecServer loglabs-SEP11a: mailclientxp,Category: 2,Symantec AntiVirus,Symantec Endpoint Protection Microsoft Exchange E-mail Auto-Protect Disabled

3 Agile Antivirus Scan Started Scan Activity <54>Aug 11 01:47:44 SymantecServer loglabs-SEP11a: Scan ID: 1281516355,Begin: 2010-08-11 08:45:50,End: 1970-01-01,Started,Duration (seconds): 0,User1: SYSTEM,User2: ,"Scan started on selected drives and folders and all extensions.", ,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: mailclientxp,IP Address: 10.40.1.31,Domain: Default,Group: My Company\Default Group,Server: loglabs-SEP11a

4 Agile Antivirus Scan Completed

Scan Activity <54>Aug 11 01:47:44 SymantecServer loglabs-SEP11a: Scan ID: 1281516355,Begin: 2010-08-11 08:45:50,End: 1970-01-01,Started,Duration (seconds): 0,User1: SYSTEM,User2: ,"Scan started on selected drives and folders and all extensions.", ,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: mailclientxp,IP Address: 10.40.1.31,Domain: Default,Group: My Company\Default Group,Server: loglabs-SEP11a

5 Agile Antivirus Scan Cancelled

Scan Activity 2010-08-20 16:13:14,Scan ID: 1282345738,Begin: 2010-08-20 23:08:40,End: 2010-08-20,Cancelled,Duration (seconds): 13,User1: adam,User2: adam,"Scan started on all drives and all extensions.","Scan Canceled: Risks: 0 Scanned: 5 Files/Folders/Drives Omitted: 0",Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 5,Omitted: 0,Computer: mailclientxp,IP Address: 192.168.219.128,Domain: Default,Group: My Company\Default Group,Server: loglabs-SEP11a 6 Agile Antivirus Scan Warning Scan Activity <54>Aug 10 12:44:55 SymantecServer loglabs-SEP11a:

mailclientxp,Category: 2,Symantec AntiVirus,Could not scan 1 files inside

c:\WINDOWS\Temp\000013c0\GuestSDK.cab due to extraction errors encountered by the Decomposer Engines. 7 Agile Antivirus Virus

Definition

Configuration Activity <54>Aug 6 20:56:30 SymantecServer loglabs-SEP11a: mailclientxp,Category: 2,Symantec AntiVirus,New virus definition file loaded. Version: 120806ak.

8 Agile Antivirus Auto Protect Disabled

(15)

Symantec Endpoint Protection Log Configuration Guide 15 9 Agile AntiVirus Alert

Message

Virus Found Threat Activity "<54>Aug 10 12:45:13 SymantecServer loglabs-SEP11a: Virus found,Computer name: mailclientxp,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:\Documents and Settings\adam\Desktop\New Text Document.txt,"""",Actual action: Cleaned by

deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2010-08-10 00:51:34,Inserted: 2010-08-10 19:45:13,End: 2010-08-10 00:51:34,Domain: Default,Group: My Company\Default Group,Server: loglabs-SEP11a,User: adam,Source computer: ,Source IP: 0.0.0.0

10 Agile AntiVirus Alert Message

Security Risk Found

Threat Activity The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Cisco Product Documentation.

Commercial Application Detected

Threat Activity "<54>Aug 10 18:47:21 SymantecServer loglabs-SEP11a: Security risk found,Computer name: mailclientxp,Source: Real Time Scan,Risk name:

Spyware.ActualSpy,Occurrences: 1,C:\Documents and Settings\adam\Local Settings\Temporary Internet Files\Content.IE5\CNJAED34\actualspy[1].exe,"""",Actual action: Access denied,Requested action:

Quarantined,Secondary action: Deleted,Event time: 2010-08-11 01:45:33,Inserted: 2010-08-11 01:47:21,End: 2010-08-11 01:44:53,Domain: Default,Group: My Company\Default Group,Server: loglabs-SEP11a,User: adam,Source computer: ,Source IP: 0.0.0.0

Forced Proactive Threat Detection

Proactive Detection Now Permitted

Threat Activity <54>Jul 31 17:12:37 SymantecServer v11afvm107: Commercial application detected,Computer name: C-afong-L,Detection type: Commercial,Application name: VNC Server 4.0,Application type: Remote

Control,Application version: 4.0,Hash type: SHA-1,Application hash:

48440b9f1a49cd970b048c9213ccb499deb6342f,Company name: RealVNC Ltd.,File size (bytes): 380928,Sensitivity: 0,Detection score: 1,Submission recommendation: 0,Permitted application reason: 0,Source: Heuristic Scan,Risk name: ,Occurrences:

1,WinVNC4,"WinVNC4",Actual action: Left

alone,Requested action: Left alone,Secondary action: Commercial application detection,Event time: 2010-07-31 19:37:30,Inserted: 2010-08-01 00:12:37,End: 2010-07-31 19:37:28,Domain: companyA,Group: My

Company\Production Workstations,Server:

VMSEP107,User: Adam_Joe,Source computer: ,Source IP: 0.0.0.0

#

Agile Reports/ Search Event Category

(16)

Potential Risk Found

Risk Sample was Submitted to Symantec

16 Agile Console Login User Access, User last Activity, User

Authentication

<54>Aug 6 16:29:59 SymantecServer loglabs-SEP11a: Site: My Site,Server: loglabs-SEP11a,Domain: Default,Admin: admin,Administrator log on succeeded " 17 Agile Console Logout User Access, User last

Activity,

<54>Aug 11 17:58:34 SymantecServer loglabs-SEP11a: Site: My Site,Server: loglabs-SEP11a,Domain:

Default,Admin: admin,Administrator logout 18 Agile Console Deleted User Access, User last

Activity,

<54>Jun 30 16:53:48 SymantecServer loglabs-SEP11a: Site: My Site,Server: loglabs-SEP11a,Domain: Default,Admin: admin,Domain "tester" was deleted! 19 Agile Console Disabled User Access, User last

Activity,

<54>Jun 30 16:53:24 SymantecServer loglabs-SEP11a: Site: My Site,Server: loglabs-SEP11a,Domain: Default,Admin: admin,Domain "tester" was disabled 20 Agile Console Created User Access, User last

Activity, User Created/ Deleted

<54>Jun 30 16:53:03 SymantecServer loglabs-SEP11a: Site: My Site,Server: loglabs-SEP11a,Domain: Default,Admin: admin,User has been created 21 Agile Console Added User Access, User last

Activity

<54>Jun 30 16:52:20 SymantecServer loglabs-SEP11a: Site: My Site,Server: loglabs-SEP11a,Domain: Default,Admin: admin,Domain "tester" was added 22 Agile Console Added User Access, User last

<54>Jun 30 16:49:35 SymantecServer loglabs-SEP11a: Site: My Site,Server: loglabs-SEP11a,Domain: Default,Admin: admin,Domain administrator "chris" was added

23 Agile Console Deleted User Access, User last Activity

<54>Jun 30 16:49:10 SymantecServer loglabs-SEP11a: Site: My Site,Server: loglabs-SEP11a,Domain: Default,Admin: admin,Group has been deleted 24 Agile Console Created User Access, User last

Activity

<54>Jun 30 16:48:52 SymantecServer loglabs-SEP11a: Site: My Site,Server: loglabs-SEP11a,Domain: Default,Admin: admin,Group has been created 25 Agile Console Changed User Access, User last

Activity

<54>Jun 30 16:47:37 SymantecServer loglabs-SEP11a: Site: My Site,Server: loglabs-SEP11a,Domain: Default,Admin: admin,The password of System administrator "admin" has been changed. 26 Agile Console Exported User Access, User last

Activity

Default,Admin: admin,Package has been exported

#

Agile

Reports/ Search

(17)

Symantec Endpoint Protection Log Configuration Guide 17 27 Agile Console Moved User Access, User last

Default,Admin: admin,Computer has been moved 28 Agile Console Deleted User Access, User last

Activity

Default,Admin: admin,Computer has been deleted 29 Agile Intrusion

Prevention

IDS HIPS Activity <54>Aug 25 15:51:21 SymantecServer loglabs-SEP11a: mailclientxp,[SID: 23180] MSRPC Server Service Buffer Overflow 2 detected. Traffic has been blocked from this application: C:\Program

Files\Tenable\Nessus\nessusd.exe,Local: 192.168.219.128,Local: 000C294EC76E,Remote: ,Remote: 10.60.1.62,Remote:

000000000000,Outbound,TCP,Intrusion ID: 0,Begin: 2010-08-23 16:25:43,End: 2010-08-23

16:25:43,Occurrences: 1,Application: C:/Program Files/ Tenable/Nessus/nessusd.exe,Location: Default,User: adam,Domain: MAILCLIENTXP

30 Agile Intrusion Prevention

DDOS HIPS Activity <54>Jun 30 16:46:44 SymantecServer loglabs-SEP11a: AdamFongDesktop,Denial of Service "UDP Flood Attack" attack detected. Description: An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.,Local: 10.60.0.220,Local: 00FFB06B9509,Remote: ,Remote: 10.1.1.12,Remote: 00FFB16B9509,Inbound,UDP,,Begin: 2011-01-25 14:41:00,End: 2011-01-25

14:41:00,Occurrences: 1,Application: ,Location: Default,User: AFong,Domain: LOGLOGIC 31 Agile Intrusion

Prevention

Port Scan HIPS Activity <54>Jun 30 16:46:44 SymantecServer loglabs-SEP11a: AdamFongDesktop,Port Scan. Description: An excessive number of User Datagram Protocol (UDP) packets are being generated on this computer causing 100% CPU utilization.,Local: 10.60.0.220,Local:

00FFB06B9509,Remote: ,Remote: 10.1.1.12,Remote: 00FFB16B9509,Inbound,UDP,,Begin: 2011-01-25 14:41:00,End: 2011-01-25 14:41:00,Occurrences: 1,Application: ,Location: Default,User: AFong,Domain: LOGLOGIC

32 Agile Policy Edited User Access, User last Activity

Default,Admin: admin,Policy has been edited,Antivirus and Antispyware policy - High Security

33 Agile Policy Added User Access, User last Activity

Default,Admin: admin,Policy has been added,Client Policy 34 Agile Policy Removed User Access, User last

Activity

Default,Admin: admin,Policy has been deleted,Copy of New firewall policy

#

Agile Reports/ Search

(18)

35 Agile Policy Applied Configuration Activity <54>Aug 26 15:28:07 SymantecServer loglabs-SEP11a: mailclientxp,Category: 0,Smc,Applied new policy with serial number 002D-08/25/2010 18:30:25 906 successfully. 36 Agile Service Shutdown Threat Activity <54>Aug 6 17:09:24 SymantecServer loglabs-SEP11a:

mailclientxp,Category: 2,Symantec AntiVirus,Symantec Endpoint Protection services shutdown was successful. 37 Agile Service Disabled Threat Activity <54>Aug 25 15:51:20 SymantecServer loglabs-SEP11a:

mailclientxp,Category: 2,Symantec AntiVirus,Symantec Endpoint Protection Auto-Protect Disabled.

38 Agile Service Change Threat Activity <54>Aug 27 14:52:27 SymantecServer loglabs-SEP11a: afong2,Category: 0,Smc,User is attempting to terminate Symantec Management Client....

39 Agile Systrem Change Configuration Activity <54>Aug 25 15:51:20 SymantecServer loglabs-SEP11a: mailclientxp,Category: 0,Smc,Location has been changed to Default.

#

Agile Reports/ Search Event Category

LogLogic Symantec Endpoint Protection Log Configuration Guide