Configuring Symantec Endpoint Protection to Communicate with QRadar

Before you can add the Symantec Endpoint Protection log source in QRadar, you need to configure your Symantec Endpoint Protection device to forward syslog events.

Procedure

  1. Log in to your Symantec Endpoint Protection Manager system.
  2. In the left pane, click the Admin icon.
  3. In the bottom of the View Servers pane, click Servers.
  4. In the View Servers pane, click Local Site.
  5. In the Tasks pane, click Configure External Logging.
  6. From the Generals tab, select the Enable Transmission of Logs to a Syslog Server check box.
  7. In the Syslog Server field, type the IP address of your QRadar that you want to parse the logs.
  8. In the UDP Destination Port field, type 514.
  9. In the Log Facility field, type 6.
  10. In the Log Filter tab, under Management Server Logs, select the Audit Logs check box.
  11. In the Client Log pane, select the Security Logs check box.
  12. In the Client Log pane, select the Risks check box.
  13. Click OK.