Symantec Endpoint Protection sample event messages
Use this sample event message to verify a successful integration with the QRadar® product.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Symantec Endpoint Protection sample message when you use the Syslog connector
The following sample event message shows a firewall block.
<51>Oct 3 23:51:53 symantec.endpointprotection.english.test SymantecServer: 20-11111A111111,Event Description: The client will block traffic from IP address 10.33.146.1 for the next 60 seconds (from 03/10/2019 23:51:04 to 03/10/2019 23:52:04). ,Local: 10.246.162.238,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 10.33.146.1,Remote Host MAC: 000000000000,Inbound,OTHERS,,Begin: 2019-10-03 23:51:04,End: 2019-10-03 23:52:04,Occurrences: 1,Application: ,Location: Test Loc - VPN,User: A1111111,Domain: TESTDOMAIN,Local Port: 0,Remote Port: 0,CIDS Signature ID: 0,CIDS Signature string: ,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5:| QRadar product field name | Highlighted values in the event payload |
|---|---|
| Event ID | Event Description (firewall block is extracted) |
| Source IP | 10.33.146.1 |
| Destination IP | 10.246.162.238 |
| Username | A1111111 |
| Device Time | 2019-10-03 23:51:04 |