Thursday, April 5, 2018

Remotely grab Symantec logs with Log Parser

Are you adding Symantec Endpoint Protection logs to your investigations? If not, there could be some information you are missing. These logs are located at C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs. Some of the logs contained in the folder path include:

AVMan.log - AV Management plugin log (contains copies of all AV events)
GUProxy.log - GUP plugin log (if you have a GUP enabled)
LUMan.log - SEP Client LiveUpdate plugin log
processlog.log - Application and Device Control log
rawlog.log - Firewall Packet log
seclog.log - Security log (IPS events mainly)
syslog.log - System log
tralog.log - Firewall Traffic log

Using Microsoft's Log Parser and Log Parser Studio, I created a couple of queries to parse these logs. And the best part is, you can query the logs on a remote system. The only thing left for you to do is export the results into your timeline. The library file for Log Parser Studio can be found here.

Enjoy!

AVMan.log









































Daily AV Logs:







































syslog.log:

























No comments:

Post a Comment