Client Management System Log
The system log contains system traffic that occur on the endpoint. This includes installation, service, configuration, host integrity, import, client, server, policy, antivirus engine, licensing, security, submission, and other events. The Windows client will show you the Date and Time, Severity, Summary, and Description. But what you are missing is the Event ID, Event Source, Location, and the log line. On the plus side though, it is one of the more human readable logs.
System Log File Format
The system log for SEP can be found at the following location:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\syslog.log
Header
The syslog.log file contains a tab separated header containing the following information:
| Field | Type | Size | Description |
|---|---|---|---|
| Log Type | hex | 8 | Always 00000000 |
| Max Log Size | hex | 8 | Maximum log file size in bytes |
| Unknown | hex | 8 | ? |
| Number of Entries | hex | 8 | Number of entries in log |
| Unknown | hex | 8 | ? |
| Running Total Entries | hex | 16 | Total number of events generated |
| Max Log Days | hex | 8 | Maximun days to save log entries |
Log Entries
The log is in TSV format, meaning, each field is separated by a tab character. The following information can be found in the event entries:
| Field | Type | Size | Description |
|---|---|---|---|
| Entry Length | hex | 8 | Length of log entry |
| Date and Time | Windows: 64 bit Hex Value - Big Endian | 16 | The time of the generated event (GMT). |
| Event ID | hex | 8 | An event ID sent by a managed client. Installation events Possible values are: 0x12070001 = Internal error 0x12070101 = Install complete 0x12070102 = Restart recommended 0x12070103 = Restart required 0x12070104 = Installation failed 0x12070105 = Uninstallation complete 0x12070106 = Uninstallation failed 0x12071037 = Symantec Endpoint Protection installed 0x12071038 = Symantec Firewall installed 0x12071039 = Uninstall 0x1207103A = Uninstall rolled-back Service events Possible values are: 0x12070201 = Service starting 0x12070202 = Service started 0x12070203 = Service start failure 0x12070204 = Service stopped 0x12070205 = Service stop failure 0x1207021A = Attempt to stop service Configuration events Possible values are: 0x12070206 = Config import complete 0x12070207 = Config import error 0x12070208 = Config export complete 0x12070209 = Config export error Host Integrity events Possible values are: 0x12070210 = Host Integrity disabled 0x12070211 = Host Integrity enabled 0x12070220 = NAP integration enabled Import events Possible values are: 0x12070214 = Successfully imported advanced rule 0x12070215 = Failed to import advanced rule 0x12070216 = Successfully exported advanced rule 0x12070217 = Failed to export advanced rule 0x1207021B = Imported sylink Client events Possible values are: 0x12070218 = Client Engine enabled 0x12070219 = Client Engine disabled 0x12071046 = Proactive Threat Scanning is not supported on this platform 0x12071047 = Proactive Threat Scanning load error 0x12071048 = SONAR content load error 0x12071049 = Allow application Server events Possible values are: 0x12070301 = Server connected 0x12070302 = No server response 0x12070303 = Server connection failed 0x12070304 = Server disconnected 0x120B0001 = Cannot reach server 0x120B0002 = Reconnected to the server 0x120b0003 = Automatic upgrade complete Policy events Possible values are: 0x12070306 = New policy received 0x12070307 = New policy applied 0x12070308 = New policy failed 0x12070309 = Cannot download policy 0x120B0005 = Cannot download policy 0x1207030A = Have latest policy 0x120B0004 = Have latest policy Antivirus engine events Possible values are: 0x12071006 = Scan omission 0x12071007 = Definition file loaded 0x1207100B = Virus behavior detected 0x1207100C = Configuration changed 0x12071010 = Definition file download 0x12071012 = Sent to quarantine server 0x12071013 = Delivered to Symantec 0x12071014 = Security Response backup 0x12071015 = Scan aborted 0x12071016 = Symantec Endpoint Protection Auto-Protect Load error 0x12071017 = Symantec Endpoint Protection Auto-Protect enabled 0x12071018 = Symantec Endpoint Protection Auto-Protect disabled 0x1207101A = Scan delayed 0x1207101B = Scan restarted 0x12071027 = Symantec Endpoint Protection is using old virus definitions 0x12071041 = Scan suspended 0x12071042 = Scan resumed 0x12071043 = Scan duration too short 0x12071045 = Scan enhancements failed Licensing events Possible values are: 0x1207101E = License warning 0x1207101F = License error 0x12071020 = License in grace period 0x12071023 = License installed 0x12071025 = License up-to-date Security events Possible values are: 0x1207102B = Computer not compliant with security policy 0x1207102C = Computer compliant with security policy 0x1207102D = Tamper attempt 0x12071034 = Login failed 0x12071035 = Login succeeded Submission events Possible values are: 0x12120001 = System message from centralized reputation 0x12120002 = Authentication token failure 0x12120003 = Reputation failure 0x12120004 = Reputation network failure 0x12130001 = System message from Submissions 0x12130002 = Submissions failure 0x12130003 = Intrusion prevention submission 0x12130004 = Antivirus detection submission 0x12130005 = Antivirus advanced heuristic detection submission 0x12130006 = Manual user submission 0x12130007 = SONAR heuristic submission 0x12130008 = SONAR detection submission 0x12130009 = File Reputation submission 0x1213000A = Client authentication token request 0x1213000B = LiveUpdate error submission 0x1213000C = Process data submission 0x1213000D = Configuration data submission 0x1213000E = Network data submission Other events Possible values are: 0x1207020A = Email post OK 0x1207020B = Email post failure 0x1207020C = Update complete 0x1207020D = Update failure 0x1207020E = Manual location change 0x1207020F = Location changed 0x12070212 = Old rasdll version detected 0x12070213 = Auto-update postponed 0x12070305 = Mode changed 0x1207030B = Cannot apply HI script 0x1207030C = Content Update Server 0x1207030D = Content Update Packet 0x12070500 = System message from device control 0x12070600 = System message from anti-buffer overflow driver 0x12070700 = System message from network access component 0x12070800 = System message from LiveUpdate 0x12070900 = System message from GUP 0x12072000 = System message from Memory Exploit Mitigation 0x12072009 = Intensive Protection disabled 0x1207200A = Intensive Protection enabled 0x12071021 = Access denied warning 0x12071022 = Log forwarding error 0x12071044 = Client moved 0x12071036 = Access denied warning 0x12071000 = Message from Intrusion Prevention 0x12071050 = SONAR disabled 0x12071051 = SONAR enabled |
| Unknown | hex | 8 | Will require further investigation as to the purpose of this log entry. |
| Severity | hex | 8 | The type of event. (0 = Info, 1 = Warning, 2 = Error, 3 = Fatal) |
| Data Size | hex | 8 | Length of data field |
| Summary/Description | nvarchar | 2048 | Description of the event. Usually, the first line of the description is treated as the summary. |
| Event Source | nvarchar | 32 | Type of event (CVE, Smc, IPS, SONAR, REP) |
| Data/Log Line | varbinary | 2000 | Additional data in binary format. This field is optional. |
| Location | nvarchar | 512 | The location used when the event occured. |
No comments:
Post a Comment