SEPparser is a command line tool for parsing Symantec Endpoint Protection logs. You can either feed it a single file or an entire directory. This even works remotely. SEPparser will figure out what log it is and parse it correctly.
Symantec logs are in the following locations:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs
C:\Users\%user%\AppData\Local\Symantec\Symantec Endpoint Protection\Logs
SEPparser.py -h
usage: SEPparser.py [-h] [-f FILE] [-d DIR] [-o OUTPUT] [-a]
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE file to be parsed
-d DIR, --dir DIR directory to be parsed
-o OUTPUT, --output OUTPUT
directory to output files to. Default is current
directory.
-a, --append append to output files.
By default, all csv files will be placed in the directory SEPparser is run from. You can also designate a folder to store them in with the -o option.
After running, the directory should look like this:
We can also find the signing certificate information.
In addition to the log files, a packet.txt file is created. This file is a hex dump of all packets from the packet log and can be viewed with Wireshark.
In Wireshark go to File > Import from Hex Dump...
Select the paclet.txt file and click Import
You can now view the packets and save them in a pcap if you choose
Download
https://github.com/Beercow/SEPparser
https://github.com/Beercow/SEPparser/releases