Tuesday, January 12, 2021

Your AV is Trying to Tell You Something: syslog.log

syslog_Format.md

Client Management System Log

The system log contains system traffic that occur on the endpoint. This includes installation, service, configuration, host integrity, import, client, server, policy, antivirus engine, licensing, security, submission, and other events. The Windows client will show you the Date and Time, Severity, Summary, and Description. But what you are missing is the Event ID, Event Source, Location, and the log line. On the plus side though, it is one of the more human readable logs.

System Log File Format

The system log for SEP can be found at the following location:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\syslog.log

The syslog.log file contains a tab separated header containing the following information:

Field Type Size Description
Log Type hex 8 Always 00000000
Max Log Size hex 8 Maximum log file size in bytes
Unknown hex 8 ?
Number of Entries hex 8 Number of entries in log
Unknown hex 8 ?
Running Total Entries hex 16 Total number of events generated
Max Log Days hex 8 Maximun days to save log entries

Log Entries

The log is in TSV format, meaning, each field is separated by a tab character. The following information can be found in the event entries:

Field Type Size Description
Entry Length hex 8 Length of log entry
Date and Time Windows: 64 bit Hex Value - Big Endian 16 The time of the generated event (GMT).
Event ID hex 8 An event ID sent by a managed client.

Installation events
Possible values are:
0x12070001 = Internal error
0x12070101 = Install complete
0x12070102 = Restart recommended
0x12070103 = Restart required
0x12070104 = Installation failed
0x12070105 = Uninstallation complete
0x12070106 = Uninstallation failed
0x12071037 = Symantec Endpoint Protection installed
0x12071038 = Symantec Firewall installed
0x12071039 = Uninstall
0x1207103A = Uninstall rolled-back

Service events
Possible values are:
0x12070201 = Service starting
0x12070202 = Service started
0x12070203 = Service start failure
0x12070204 = Service stopped
0x12070205 = Service stop failure
0x1207021A = Attempt to stop service

Configuration events
Possible values are:
0x12070206 = Config import complete
0x12070207 = Config import error
0x12070208 = Config export complete
0x12070209 = Config export error

Host Integrity events
Possible values are:
0x12070210 = Host Integrity disabled
0x12070211 = Host Integrity enabled
0x12070220 = NAP integration enabled

Import events
Possible values are:
0x12070214 = Successfully imported advanced rule
0x12070215 = Failed to import advanced rule
0x12070216 = Successfully exported advanced rule
0x12070217 = Failed to export advanced rule
0x1207021B = Imported sylink

Client events
Possible values are:
0x12070218 = Client Engine enabled
0x12070219 = Client Engine disabled
0x12071046 = Proactive Threat Scanning is not supported on this platform
0x12071047 = Proactive Threat Scanning load error
0x12071048 = SONAR content load error
0x12071049 = Allow application

Server events
Possible values are:
0x12070301 = Server connected
0x12070302 = No server response
0x12070303 = Server connection failed
0x12070304 = Server disconnected
0x120B0001 = Cannot reach server
0x120B0002 = Reconnected to the server
0x120b0003 = Automatic upgrade complete

Policy events
Possible values are:
0x12070306 = New policy received
0x12070307 = New policy applied
0x12070308 = New policy failed
0x12070309 = Cannot download policy
0x120B0005 = Cannot download policy
0x1207030A = Have latest policy
0x120B0004 = Have latest policy

Antivirus engine events
Possible values are:
0x12071006 = Scan omission
0x12071007 = Definition file loaded
0x1207100B = Virus behavior detected
0x1207100C = Configuration changed
0x12071010 = Definition file download
0x12071012 = Sent to quarantine server
0x12071013 = Delivered to Symantec
0x12071014 = Security Response backup
0x12071015 = Scan aborted
0x12071016 = Symantec Endpoint Protection Auto-Protect Load error
0x12071017 = Symantec Endpoint Protection Auto-Protect enabled
0x12071018 = Symantec Endpoint Protection Auto-Protect disabled
0x1207101A = Scan delayed
0x1207101B = Scan restarted
0x12071027 = Symantec Endpoint Protection is using old virus definitions
0x12071041 = Scan suspended
0x12071042 = Scan resumed
0x12071043 = Scan duration too short
0x12071045 = Scan enhancements failed

Licensing events
Possible values are:
0x1207101E = License warning
0x1207101F = License error
0x12071020 = License in grace period
0x12071023 = License installed
0x12071025 = License up-to-date

Security events
Possible values are:
0x1207102B = Computer not compliant with security policy
0x1207102C = Computer compliant with security policy
0x1207102D = Tamper attempt
0x12071034 = Login failed
0x12071035 = Login succeeded

Submission events
Possible values are:
0x12120001 = System message from centralized reputation
0x12120002 = Authentication token failure
0x12120003 = Reputation failure
0x12120004 = Reputation network failure
0x12130001 = System message from Submissions
0x12130002 = Submissions failure
0x12130003 = Intrusion prevention submission
0x12130004 = Antivirus detection submission
0x12130005 = Antivirus advanced heuristic detection submission
0x12130006 = Manual user submission
0x12130007 = SONAR heuristic submission
0x12130008 = SONAR detection submission
0x12130009 = File Reputation submission
0x1213000A = Client authentication token request
0x1213000B = LiveUpdate error submission
0x1213000C = Process data submission
0x1213000D = Configuration data submission
0x1213000E = Network data submission

Other events
Possible values are:
0x1207020A = Email post OK
0x1207020B = Email post failure
0x1207020C = Update complete
0x1207020D = Update failure
0x1207020E = Manual location change
0x1207020F = Location changed
0x12070212 = Old rasdll version detected
0x12070213 = Auto-update postponed
0x12070305 = Mode changed
0x1207030B = Cannot apply HI script
0x1207030C = Content Update Server
0x1207030D = Content Update Packet
0x12070500 = System message from device control
0x12070600 = System message from anti-buffer overflow driver
0x12070700 = System message from network access component
0x12070800 = System message from LiveUpdate
0x12070900 = System message from GUP
0x12072000 = System message from Memory Exploit Mitigation
0x12072009 = Intensive Protection disabled
0x1207200A = Intensive Protection enabled
0x12071021 = Access denied warning
0x12071022 = Log forwarding error
0x12071044 = Client moved
0x12071036 = Access denied warning
0x12071000 = Message from Intrusion Prevention
0x12071050 = SONAR disabled
0x12071051 = SONAR enabled
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Severity hex 8 The type of event. (0 = Info, 1 = Warning, 2 = Error, 3 = Fatal)
Data Size hex 8 Length of data field
Summary/Description nvarchar 2048 Description of the event. Usually, the first line of the description is treated as the summary.
Event Source nvarchar 32 Type of event (CVE, Smc, IPS, SONAR, REP)
Data/Log Line varbinary 2000 Additional data in binary format. This field is optional.
Location nvarchar 512 The location used when the event occured.

No comments:

Post a Comment