Security Log File Format
The security log for SEP can be found at the following location:
- Windows
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\seclog.log - Linux
/var/symantec/Logs/seclog.log
Header
| Field | Type | Size | Description |
|---|---|---|---|
| Log Type | hex | 8 | Always 00000001 |
| Max Log Size | hex | 8 | Maximum log file size in bytes |
| Unknown | hex | 8 | ? |
| Number of Entries | hex | 8 | Number of entries in log |
| Unknown | hex | 8 | ? |
| Running Total Entries | hex | 16 | Total number of events generated |
| Max Log Days | hex | 8 | Maximun days to save log entries |
Log Entries
The log is in TSV format, meaning, each field is separated by a tab character.
| Field | Type | Size | Description |
|---|---|---|---|
| Entry Length | hex | 8 | Length of log entry |
| Date and Time | Windows: 64 bit Hex Value - Big Endian | 16 | The time of the generated event (GMT). |
| Event ID | hex | 8 | Compliance events: 209 = Host Integrity failed. 210 = Host Integrity passed. 221 = Host Integrity failed, but reported as passed. 237 = Host Integrity custom log entry. Firewall and IPS events: 201 = Invalid traffic by rule. * 202 = Port scan. * 203 = Denial of service. * 204 = Trojan. * 205 = Executable file was changed. * 206 = Intrusion Prevention System Intrusion was detected. * 207 = Active Response. 208 = MAC spoofing. * 211 = Active Response was disengaged. 216 = Executable file change was detected. 217 = Executable file change was accepted. 218 = Executable file change was denied. 219 = Active Response was cancelled. * 220 = Application hijacking. 249 = Browser Protection event. Application and Device control: 238 = Device control disabled the device. 239 = Buffer Overflow event. 240 = Software protection has thrown an exception. 241 = Not used. * 242 = Device control enabled the device. * Memory Exploit Mitigation events: * 250 = Memory Exploit Mitigation blocked an event. * 251 = Memory Exploit Mitigation allowed an event. * |
| Severity | hex | 8 | The severity as defined in the security rule. Critical = 0 - 3 Major = 4 - 7 Minor = 8 - 11 Info = 12 - 15 |
| Local Host | hex | 8 | The IP address of the local computer (IPv4). |
| Remote Host | hex | 8 | The IP address of the remote computer (IPv4). |
| Protocol | hex | 8 | The protocol type. (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4) |
| Hack Type | hex | 8 | If event ID = 209, Host Integrity failed (TSLOG_SEC_NO_AV), the reason for the failure If Event ID = 206, Intrusion Prevention System( Intrusion Detected, TSLOG_SEC_INTRUSION_DETECTED), the intrusion ID If event ID = 210, Host Integrity passed( TSLOG_SEC_AV), additional information Possible reasons are as follows: Process is not running - Bit0 is 1 Signature is out of date - Bit1 is 1 Recovery was attempted - Bit2 is 1 |
| Direction | hex | 8 | The direction of traffic. (Unknown = 0; inbound = 1; outbound = 2) |
| Begin Time | Windows: 64 bit Hex Value - Big Endian | 16 | The start time of the security issue. |
| End Time | Windows: 64 bit Hex Value - Big Endian | 16 | The end time of the security issue. This field is an optional field because the exact end time of traffic may not be detected; for example, as with UDP traffic. If the end time is not detected, it is set to equal the start time. |
| Occurences | hex | 8 | The number of attacks. Sometime, when a hacker launches a mass attack, it may be reduced to one event by the log system, depending on the damper period. |
| Log Data Size | hex | 8 | |
| Description | nvarchar | 4000 | Description of the event. Usually, the first line of the description is treated as the summary. |
| Unknown | ? | ? | Will require further investigation as to the purpose of this log entry. |
| Application | nvarchar | 512 | The full path of the application involved. This field may be empty if an unknown application is involved, or no application is involved. For example, the ping of death DoS attack does not have an application name because it attacks the OS itself. |
| Log Data | varbinary | 3000 | Additional data in binary format. This field is optional. |
| Local MAC | binary | 32 | The MAC address of the local computer. |
| Remote MAC | binary | 32 | The MAC address of the remote computer. |
| Location | nvarchar | 512 | The location used when the event occured. |
| User | nvarchar | 512 | The logon user name. |
| User Domain | nvarchar | 512 | The logon domain name. |
| Signature ID | hex | 8 | The signature ID. |
| Signature Sub ID | hex | 8 | The signature sub ID. |
| Unknown | hex | 8 | Will require further investigation as to the purpose of this log entry. |
| Unknown | hex | 8 | Will require further investigation as to the purpose of this log entry. |
| Remote Port | hex | 8 | The remote port. |
| Local Port | hex | 8 | The local port. |
| Local Host IPV6 | hex | 32 | The IP address of the local computer (IPv6). |
| Remote Host IPV6 | hex | 32 | The IP address of the remote computer (IPv6). |
| Signature Name | nvarchar | 520 | The signature name. |
| X Intrusion Payload | nvarchar | 4200 | The URL that hosted the payload. |
| Intrusion URL | nvarchar | 4200 | The URL from the detection |
| Unknown | ? | ? | Will require further investigation as to the purpose of this log entry. |
| Symantec Version Number | nvarchar | 128 | The agent version number on the client. |
| Profile Serial Number | varchar | 64 | The policy serial number. |
| Unknown | hex | 8 | Will require further investigation as to the purpose of this log entry. |
| MD5 Hash | char | 32 | The MD5 hash value. |
| SHA-256 Hash | char | 64 | The SHA-256 hash value. |
| URL_HID_LEVEL † | hex | 8 | Added for future release. Not used now. |
| URL_RISK_SCORE † | hex | 8 | Added for future release. Not used now. |
| URL_CATEGORIES † | char | 64 | Comma separated list of numerical values: 1 = Adult/Mature Content 3 = Pornography 4 = Sex Education 5 = Intimate Apparel/Swimsuit 6 = Nudity 7 = Gore/Extreme 9 = Scam/Questionable Legality 11 = Gambling 14 = Violence/Intolerance 15 = Weapons 16 = Abortion 17 = Hacking 18 = Phishing 20 = Entertainment 21 = Business/Economy 22 = Alternative Spirituality/Belief 23 = Alcohol 24 = Tobacco 25 = Controlled Substances 26 = Child Pornography 27 = Education 29 = Charitable/Non-Profit 30 = Art/Culture 31 = Finance 32 = Brokerage/Trading 33 = Games 34 = Government/Legal 35 = Military 36 = Political/Social Advocacy 37 = Health 38 = Technology/Internet 40 = Search Engines/Portals 43 = Malicious Sources/Malnets 44 = Malicious Outbound Data/Botnets 45 = Job Search/Careers 46 = News 47 = Personals/Dating 49 = Reference 50 = Mixed Content/Potentially Adult 51 = Chat (IM)/SMS 52 = Email 53 = Newsgroups/Forums 54 = Religion 55 = Social Networking 56 = File Storage/Sharing 57 = Remote Access 58 = Shopping 59 = Auctions 60 = Real Estate 61 = Society/Daily Living 63 = Personal Sites 64 = Restaurants/Food 65 = Sports/Recreation 66 = Travel 67 = Vehicles 68 = Humor/Jokes 71 = Software Downloads 83 = Peer-to-Peer (P2P) 84 = Audio/Video Clips 85 = Office/Business Applications 86 = Proxy Avoidance 87 = For Kids 88 = Web Ads/Analytics 89 = Web Hosting 90 = Uncategorized 92 = Suspicious 93 = Sexual Expression 95 = Translation 96 = Web Infrastructure 97 = Content Delivery Networks 98 = Placeholders 101 = Spam 102 = Potentially Unwanted Software 103 = Dynamic DNS Host 104 = URL Shorteners 105 = Email Marketing 106 = E-Card/Invitations 107 = Informational 108 = Computer/Information Security 109 = Internet Connected Devices 110 = Internet Telephony 111 = Online Meetings 112 = Media Sharing 113 = Radio/Audio Streams 114 = TV/Video Streams 116 = Cloud Infrastructure 117 = Cryptocurrency 118 = Piracy/Copyright Concerns 121 = Marijuana 124 = Compromised Sites |
* SEP14.2.1
† SEP14.3.0.1
