About syslog server connections

Symantec Endpoint Detection and Response
can send conviction incidents and notification messages to remote syslog servers using standard syslog forwarding. Using a remote syslog server lets you work with logs on a separate server, and it lets multiple devices send logs to a centralized location. Syslog output is sent over UDP or TCP (Symantec recommends that you use TCP). To set up the connection, you configure the network connection to each syslog server in the
EDR appliance console
. You must also configure each syslog server to accept the logs from
Symantec EDR
.
Symantec EDR
always uses the syslog facility of "user" and severity of "INFO".
ECC
, endpoint activity recorder, and search data are not forwarded to syslog.
Symantec EDR
uses Common Event Format (CEF) for all syslog output. CEF defines a text-based syntax for pushing events to security information and event management (SIEM) systems. The syntax consists of a header and a set of key-value pairs. The CEF definition provides many SIEM-related, predefined fields, and
Symantec EDR
uses them where applicable.
Where no applicable predefined fields exists,
Symantec EDR
provides the key as “json” and a JSON object as value, which in turn contains all of the
Symantec EDR
-specific fields and their values. See the following example:
json={"actual_action":"Quarantined","actual_action_idx":1,"agent_infected":0,"agent_version":"14.0.1904.0000","alert":"Security risk found","data_source_url_domain":"","device_ip":"194.164.1.245","device_name":"140116-012018","device_time":"2017-01-25T09:18:16.914Z","device_uid":"1fdfd164-e54b-446f-b803-218d939da4c4","disposition":1,"domain_name":"WORKGROUP","external_ip":"","file":{"app_name":"cloudcar.exe","company_name":"null","confidence":119,"detection_type":"Heuristic","disposition":1,"folder":"C:\Users\Admin\Downloads","name":"cloudcar.exe","sha2":"3559378c933cdd434af2083f7535460843d2462033de74ec7c70dbe5f70124f5"},"host_name":"170446-012018","internal_ip":"194.164.1.245","local_host_mac":"00-0c-29-cc-3e-17","no_of_viruses":1,"sep_mid":"de2508a9b6bbcc26b4132029a46dd680","source":"Real Time Scan","threat":{"name":"WS.Reputation.1"},"type_id":4123,"user_name":"Admin","virus_def":"2017-01-23 rev. 022","virus_name":"WS.Reputation.1","sep_installed":true}
CEF log format consists of a syslog prefix, a CEF header, and the extension.
The syslog prefix contains a date, host name, log level, and component identifier. CEF header fields describes the CEF header fields that
Symantec EDR
sends.
CEF header field
Description
Version
The CEF format version number
Device Vendor
Symantec
Device Product
The
Symantec EDR
appliance
Device Version
The
Symantec EDR
version number
Signature ID
The ID of a Symantec AntiVirus Engine or
Vantage
conviction. For other types of convictions, the ID is 0.
Name
The name of the event. This can be one of the following:
  • atp_incident
  • entity_audit_event
  • lcp_sep_alert_event
  • lcp_sep_risk_event
  • email_conviction_event
  • sep_proxy_insight_event
  • sep_proxy_ips_event
  • sep_proxy_sonar_event
  • sep_proxy_av_event
  • session_audit_event
Severity
The severity of the incident. From lowest to highest severity, the number can be 1, 3, 5, 8, or 10. If the value is 5, the CEF contains a non-conviction incident.
[Extension]
(Optional) Additional information, such as source IP address or file hash. The information is contained in sets of key-value fields.
Where no applicable predefined fields exists,
Symantec EDR
provides the key as “json” and a JSON object as value, which will in turn contain all the
Symantec EDR
-specific fields and their values.
An example of a conviction incident log is as follows:
Jan 25 09:59:01 localhost lcp_sep_alert_event: INFO - ATP-Appliance CEF:0|Symantec|ATPU|3.0.0|4123|lcp_sep_alert_event|0|device_time=2017-01-25T09:18:16.914Z device_uid=1fdfd144-e54b-476f-b803-218d939da4c4 internalIP=194.164.4.245 internalHost=170116-012018 filePath=C:\Users\Admin\Downloads fname=cloudcar.exe sha2=3559378c933cdd434af2083f7535460843d2462033de74ec7c70dbe5f70124f5 md5= AVEVirusName=WS.Reputation.1 actual_action=Quarantined user_name=Admin domain_name=WORKGROUP json="actual_action":"Quarantined","actual_action_idx":1,"agent_infected":0,"agent_version":"14.0.1904.0000","alert":"Security risk found","data_source_url_domain":"","device_ip":"194.1448.4.245","device_name":"170116-042018","device_time":"2017-01-25T09:18:16.914Z","device_uid":"1fdfd168-e54b-444g-b803-218d939da4c4","disposition":1,"domain_name":"WORKGROUP","external_ip":"","file":{"app_name":"cloudcar.exe","company_name":"null","confidence":119,"detection_type":"Heuristic","disposition":1,"folder":"C:\Users\Admin\Downloads","name":"cloudcar.exe","sha2":"3559378c933cdd434af2083f7535460843d2462033de74ec7c70dbe5f70124f5"},"host_name":"170446-012018","internal_ip":"194.144.1.245","local_host_mac":"44-0c-29-bb-3e-19","no_of_viruses":1,"sep_mid":"de2508a9b6bbcc26b4132029a46dd680","source":"Real Time Scan","threat":{"name":"WS.Reputation.1"},"type_id":4123,"user_name":"Admin","virus_def":"2017-01-23 rev. 022","virus_name":"WS.Reputation.1","sep_installed":true}
Feb 1 11:07:06 localhost atp_incident: INFO - ATP-Appliance CEF:0|Symantec|ATPU|3.0.0|16|atp_incident|0|device_time=2017-02-01T11:00:47.697Z incident_uuid=afa03410-e86d-11e6-e42a-00000000000c rule_name=incident_update description=incident_update message=incident_update json={"device_ip":"144.0.0.1","device_name":"localhost.localdomain","type_id":16,"composite":1,"id":1,"device_end_time":"2017-02-01T11:00:47.697Z","uuid":"afa03410-e44d-11e6-e42a-00000000000c","events":[{"action_id":1,"categories":["Attack"],"config_version":0,"count":1,"critical_infected":false,"data_direction":4,"data_source_url":"http://www.eicar.org/download/eicar.com.txt","data_source_url_domain":"www.eicar.org","data_source_url_referer":"","deepsight_domain":"notavailable","device_end_time":"2017-02-01T11:00:43.962Z","device_ip":"194.144.1.245","device_name":"194.144.1.245","device_time":"2017-02-01T11:00:43.229Z","device_uid":"1fdee168-e54b-476f-b803-218d939da4c4","disposition":1,"external_ip":"213.211.198.62","external_port":80,"id":1,"infected":false,"internal_hostname":"192.144.1.445","internal_ip":"194.144.1.445","internal_port":56642,"ping_submit":true,"product_name":"SGS-ATP","product_ver":"2.0","scanner_name":"ATP-Appliance","scanner_uid":"{564d59c9-1df3-9eac-84fc-3dc3a08dacdf}","severity_id":4,"signature_id":"24461","signature_name":"Diagnostic: EICAR Standard Anti-Virus Test File","silent":false,"threshold":1,"type_id":4113,"vlan_id":0,"user_name":"Admin","sep_installed":true,"timezone":0,"time":"2017-02-01T11:00:43.229Z","end_time":"2017-02-01T11:00:43.962Z","log_time":"2017-02-01T11:07:06.882Z","uuid":"acf670d0-e44d-11e6-e769-0000000025c0","log_name":"epmp_events-2017-02-01/4113","incident_priority_level":"LOW"}],"device_time":"2017-02-01T11:00:47.697Z","atp_incident_id":100011,"event_count":10,"priority_level":1,"scanners":["ATP-Appliance"],"filehash":["b4e7c4260f2fb0942244bcbc0cb839e705903487586ad3914d9d8f164886b830","3559378c933cdd434af2083f7535460843d2462033de74ec7c70dbe5f70124f5","2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad","86263727095009b136c832b851b3d9b329352d60a1ecc251d4a309d44a407c3b","275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"],"deviceUid":["1fdfd168-e54b-476f-b803-218d939da4c4"],"domainId":["","www.skyscan.com","www.eicar.org"],"confidence":"low"}
Feb 1 11:01:12 localhost sep_proxy_insight_event: INFO - ATP-Appliance CEF:0|Symantec|ATPU|3.0.0|4096|sep_proxy_insight_event|0|device_time=2017-02-01T11:01:11.014Z device_uid=1fdfd144-e54b-476f-b803-218d939da4c4 internalIP=10.212.24.141 internalHost=170116-012018 filePath=CSIDL_PROFILE\downloads fname=shample (2).exe ha2=b4e7c4260f2fb0942244bcbc0cb839e705903487586ad3914d9d8f164886b830 md5=f7c9075fd496b1f399f118365fc5bfe0 disposition=0 disposition_atp=0 user_name=Admin json={"atp_protocol":"rrs","data_direction":"inbound","data_source_ip":"94.131.149.32","data_source_url":"http://www.skyscan.com/shample/shample.exe","data_source_url_domain":"skyscan.com","data_source_url_referer":"http://test.symanteccloud.com/","deepsight_domain":"notavailable","device_ip":"14.244.24.141","device_name":"170446-012018","device_time":"2017-02-01T11:01:11.014Z","device_uid":"1fdfd144-e54b-476g-b803-218d939da4c4","disposition":1,"downloaded_portal_id":5,"enterprise_uid":"8DD043B6C4420972D28225BEEA38E404","external_ip":"95.131.109.32","feature_name":"ATP:Endpoint","feature_ver":"2014.2.0","file":{"attributes":null,"confidence":16,"confidence_atp":16,"desc":null,"disposition":0,"disposition_atp":0,"first_seen":null,"folder":"CSIDL_PROFILE\downloads","md5":"f7c9075fd496b1f399f118365fc5bfe0","name":"shample (2).exe","prevalence":0,"sha2":"b4e7c4260f2fb0942244bcbc0cb839e705903487586ad3914d9d8f164886b830","signature_company_name":null,"signature_issuer":null,"signature_serial_number":null,"size":33824},"id":0,"initiating_engine":null,"parent_file_name":null,"parent_file_sha2":"6299DE071EF97D32C334EF624BC4B0FD3BF15BDD411976687951696771373949","parent_installer_url":null,"product_name":"ATP:Endpoint","request_reason":1,"ruleId":null,"ruleVersion":0,"sep_mid":"de2508a9b6bbcc26b4132029a46dd680","type_id":4096,"zone_id":null,"user_name":"Admin","sep_installed":true}