Troubleshooting
Problem
When using IBM Security QRadar SIEM, Symantec Endpoint syslog is auto detected as SymantecServer regardless of the actual hostname if the firmware version on the appliance is old.
Cause
The Symantec Endpoint Protection Server is out of date. This issue has been resolved by Symantec in software version 12.1.6.MP4.
For Symantec appliances on older firmware:
This issue is due to how Symantec generates Syslog headers as the header always contains an application name of SymantecServer. This information in most RFC Syslog payloads is normally reserved for the host name or IP Address of the appliance that generated the event, not a generic value.
Example:
For Symantec appliances on older firmware:
This issue is due to how Symantec generates Syslog headers as the header always contains an application name of SymantecServer. This information in most RFC Syslog payloads is normally reserved for the host name or IP Address of the appliance that generated the event, not a generic value.
Example:
<54>Jun 2 09:37:57
SymantecServer ServerA:
Virus found,Computer name:ServerA,Source: Real Time Scan,Risk name: CAR Test String,Occurrences:1,D:/ffirectoryA/DirectoryB,"",Actual action: Cleaned by deletion,Requested action:Cleaned,Secondary action: Quarantined,Event time: 2009-05-22 14:22:10,Inserted:2009-05-22 14:32:57,End: 2009-05-22 14:32:10,Domain: Default,Group: My Group\WAN\Offline Servers,Server:ServerA,User: exampleuser1,Source computer: ,Source IP: 0.0.0.0
Note: In the Example above that SymanterServer is in the place of the host name, instead of the actual server name ServerA
Resolving The Problem
Administrators with Symantec Endpoint Protection appliances should review the fix provided by Symantec. This issue was corrected by Symantec in a bugfix in SEP 12.1.6 MP4. For more information, see https://support.symantec.com/en_US/article.INFO3517.html.
If you cannot update to Symantec Endpoint Protection 12.1.6 MP4
An alternate option for administrators is to use the Syslog Redirect Protocol and send Symantec Endpoint Protection Syslog events to port 517 on the QRadar system. The Syslog Redirect Protocol allows the Syslog header from the event payload to be substituted with another header to ensure that an IP or hostname can be used to parse the event properly. This protocol works by using a regular expression to generate a new Syslog header, so you have <Syslog Redirect Header><Original SEP Syslog header><Original event payload information>. The event pipeline receives the data with the new header and is able to properly parsed by the QRadar appliance.
![](/support/pages/system/files/support/swg/sectech.nsf/0/43ca8d347d515aef85257af4006a2a19/Content/0.5B8.gif)
NOTE: If you have questions about Syslog Redirect and how this protocol works, you can discuss this protocol in our forums. The image above is a representation and does not include the actual regex or format string values required for a proper workaround for all administrators.
If you cannot update to Symantec Endpoint Protection 12.1.6 MP4
An alternate option for administrators is to use the Syslog Redirect Protocol and send Symantec Endpoint Protection Syslog events to port 517 on the QRadar system. The Syslog Redirect Protocol allows the Syslog header from the event payload to be substituted with another header to ensure that an IP or hostname can be used to parse the event properly. This protocol works by using a regular expression to generate a new Syslog header, so you have <Syslog Redirect Header><Original SEP Syslog header><Original event payload information>. The event pipeline receives the data with the new header and is able to properly parsed by the QRadar appliance.
![](/support/pages/system/files/support/swg/sectech.nsf/0/43ca8d347d515aef85257af4006a2a19/Content/0.5B8.gif)
NOTE: If you have questions about Syslog Redirect and how this protocol works, you can discuss this protocol in our forums. The image above is a representation and does not include the actual regex or format string values required for a proper workaround for all administrators.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnfdAAC","label":"QRadar->Events->Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3;7.4","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
01 April 2020
UID
swg21622446