Skip to content

Symantec Endpoint Protection

Forward Symantec Endpoint Protection logs to a Syslog endpoint by exporting logs from SEPM and using a script for forwarding.

Prerequisites

  • Symantec Endpoint Protection Manager (SEPM) with administrative access.
  • Access to SEPM's database or SEPM's exported log files.
  • Scripting environment (e.g., server with Python) for log forwarding.
  • Syslog endpoint details: <SYSLOG_ENDPOINT>, <SYSLOG_PORT>.

Configuration Steps

1. Export Logs from SEPM

  • Configure SEPM to export logs to a file or directly access SEPM's database to extract log data. Refer to SEPM documentation for steps on exporting or accessing logs.

2. Create a Log Forwarding Script

Develop a script that reads the exported log data and forwards it to your Syslog server.

Example Python snippet for reading log files and forwarding to Syslog:

import socket

def forward_logs_to_syslog(log_file, syslog_server, syslog_port):
    with open(log_file, 'r') as file:
        logs = file.readlines()

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    for log in logs:
        syslog_message = f"<14>{log}".encode('utf-8')
        sock.sendto(syslog_message, (syslog_server, syslog_port))
    sock.close()

3. Schedule and Execute the Script

Use cron jobs (Linux) or Task Scheduler (Windows) to automate the execution of your script at regular intervals, ensuring new logs are continuously forwarded.

4. Verify Log Forwarding

Generate or wait for new events in SEP that produce logs. Confirm the receipt of these logs at your Syslog endpoint.