System Log File Format
The system log for SEP can be found at the following location:
- Windows
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\syslog.log - Linux
/var/symantec/Logs/syslog.log
Header
The syslog.log file contains a tab separated header containing the following information:
| Field | Type | Size | Description |
|---|---|---|---|
| Log Type | hex | 8 | Always 00000000 |
| Max Log Size | hex | 8 | Maximum log file size in bytes |
| Unknown | hex | 8 | ? |
| Number of Entries | hex | 8 | Number of entries in log |
| Unknown | hex | 8 | ? |
| Running Total Entries | hex | 16 | Total number of events generated |
| Max Log Days | hex | 8 | Maximun days to save log entries |
Log Entries
The log is in TSV format, meaning, each field is separated by a tab character. The following information can be found in the event entries:
| Field | Type | Size | Description |
|---|---|---|---|
| Entry Length | hex | 8 | Length of log entry |
| Date and Time | Windows: 64 bit Hex Value - Big Endian | 16 | The time of the generated event (GMT). |
| Event ID | hex | 8 | An event ID sent by a managed client. Installation events Possible values are: 0x12070001 = Internal error 0x12070101 = Install complete 0x12070102 = Restart recommended 0x12070103 = Restart required 0x12070104 = Installation failed 0x12070105 = Uninstallation complete 0x12070106 = Uninstallation failed 0x12071037 = Symantec Endpoint Protection installed 0x12071038 = Symantec Firewall installed 0x12071039 = Uninstall 0x1207103A = Uninstall rolled-back Service events Possible values are: 0x12070201 = Service starting 0x12070202 = Service started 0x12070203 = Service start failure 0x12070204 = Service stopped 0x12070205 = Service stop failure 0x1207021A = Attempt to stop service Configuration events Possible values are: 0x12070206 = Config import complete 0x12070207 = Config import error 0x12070208 = Config export complete 0x12070209 = Config export error Host Integrity events Possible values are: 0x12070210 = Host Integrity disabled 0x12070211 = Host Integrity enabled 0x12070220 = NAP integration enabled Import events Possible values are: 0x12070214 = Successfully imported advanced rule 0x12070215 = Failed to import advanced rule 0x12070216 = Successfully exported advanced rule 0x12070217 = Failed to export advanced rule 0x1207021B = Imported sylink Client events Possible values are: 0x12070218 = Client Engine enabled 0x12070219 = Client Engine disabled 0x12071046 = Proactive Threat Scanning is not supported on this platform 0x12071047 = Proactive Threat Scanning load error 0x12071048 = SONAR content load error 0x12071049 = Allow application Server events Possible values are: 0x12070301 = Server connected 0x12070302 = No server response 0x12070303 = Server connection failed 0x12070304 = Server disconnected 0x120B0001 = Cannot reach server 0x120B0002 = Reconnected to the server 0x120b0003 = Automatic upgrade complete Policy events Possible values are: 0x12070306 = New policy received 0x12070307 = New policy applied 0x12070308 = New policy failed 0x12070309 = Cannot download policy 0x120B0005 = Cannot download policy 0x1207030A = Have latest policy 0x120B0004 = Have latest policy Antivirus engine events Possible values are: 0x12071006 = Scan omission 0x12071007 = Definition file loaded 0x1207100B = Virus behavior detected 0x1207100C = Configuration changed 0x12071010 = Definition file download 0x12071012 = Sent to quarantine server 0x12071013 = Delivered to Symantec 0x12071014 = Security Response backup 0x12071015 = Scan aborted 0x12071016 = Symantec Endpoint Protection Auto-Protect Load error 0x12071017 = Symantec Endpoint Protection Auto-Protect enabled 0x12071018 = Symantec Endpoint Protection Auto-Protect disabled 0x1207101A = Scan delayed 0x1207101B = Scan restarted 0x12071027 = Symantec Endpoint Protection is using old virus definitions 0x12071041 = Scan suspended 0x12071042 = Scan resumed 0x12071043 = Scan duration too short 0x12071045 = Scan enhancements failed Licensing events Possible values are: 0x1207101E = License warning 0x1207101F = License error 0x12071020 = License in grace period 0x12071023 = License installed 0x12071025 = License up-to-date Security events Possible values are: 0x1207102B = Computer not compliant with security policy 0x1207102C = Computer compliant with security policy 0x1207102D = Tamper attempt 0x12071034 = Login failed 0x12071035 = Login succeeded Submission events Possible values are: 0x12120001 = System message from centralized reputation 0x12120002 = Authentication token failure 0x12120003 = Reputation failure 0x12120004 = Reputation network failure 0x12130001 = System message from Submissions 0x12130002 = Submissions failure 0x12130003 = Intrusion prevention submission 0x12130004 = Antivirus detection submission 0x12130005 = Antivirus advanced heuristic detection submission 0x12130006 = Manual user submission 0x12130007 = SONAR heuristic submission 0x12130008 = SONAR detection submission 0x12130009 = File Reputation submission 0x1213000A = Client authentication token request 0x1213000B = LiveUpdate error submission 0x1213000C = Process data submission 0x1213000D = Configuration data submission 0x1213000E = Network data submission Other events Possible values are: 0x1207020A = Email post OK 0x1207020B = Email post failure 0x1207020C = Update complete 0x1207020D = Update failure 0x1207020E = Manual location change 0x1207020F = Location changed 0x12070212 = Old rasdll version detected 0x12070213 = Auto-update postponed 0x12070305 = Mode changed 0x1207030B = Cannot apply HI script 0x1207030C = Content Update Server 0x1207030D = Content Update Packet 0x12070500 = System message from device control 0x12070600 = System message from anti-buffer overflow driver 0x12070700 = System message from network access component 0x12070800 = System message from LiveUpdate 0x12070900 = System message from GUP 0x12072000 = System message from Memory Exploit Mitigation 0x12072009 = Intensive Protection disabled 0x1207200A = Intensive Protection enabled 0x12071021 = Access denied warning 0x12071022 = Log forwarding error 0x12071044 = Client moved 0x12071036 = Access denied warning 0x12071000 = Message from Intrusion Prevention 0x12071050 = SONAR disabled 0x12071051 = SONAR enabled |
| Unknown | hex | 8 | Will require further investigation as to the purpose of this log entry. |
| Severity | hex | 8 | The type of event. (0 = Info, 1 = Warning, 2 = Error, 3 = Fatal) |
| Data Size | hex | 8 | Length of data field |
| Summary/Description | nvarchar | 2048 | Description of the event. Usually, the first line of the description is treated as the summary. |
| Event Source | nvarchar | 32 | Type of event (CVE, Smc, IPS, SONAR, REP) |
| Data | varbinary | 2000 | Additional data in binary format. This field is optional. |
| Location | nvarchar | 512 | The location used when the event occured. |
