IBM Support

QRadar: Symantec Endpoint protection auto-discovering hostname as Symantec Server (updated)



When using IBM Security QRadar SIEM, Symantec Endpoint syslog is auto detected as SymantecServer regardless of the actual hostname if the firmware version on the appliance is old.


The Symantec Endpoint Protection Server is out of date. This issue has been resolved by Symantec in software version 12.1.6.MP4.

For Symantec appliances on older firmware:
This issue is due to how Symantec generates Syslog headers as the header always contains an application name of SymantecServer. This information in most RFC Syslog payloads is normally reserved for the host name or IP Address of the appliance that generated the event, not a generic value.


<54>Jun 2 09:37:57 SymantecServer ServerA: Virus found,Computer name:ServerA,Source: Real Time Scan,Risk name: CAR Test String,Occurrences:1,D:/ffirectoryA/DirectoryB,"",Actual action: Cleaned by deletion,Requested action:Cleaned,Secondary action: Quarantined,Event time: 2009-05-22 14:22:10,Inserted:2009-05-22 14:32:57,End: 2009-05-22 14:32:10,Domain: Default,Group: My Group\WAN\Offline Servers,Server:ServerA,User: exampleuser1,Source computer: ,Source IP:

Note: In the Example above that SymanterServer is in the place of the host name, instead of the actual server name ServerA

Resolving The Problem

Administrators with Symantec Endpoint Protection appliances should review the fix provided by Symantec. This issue was corrected by Symantec in a bugfix in SEP 12.1.6 MP4. For more information, see

If you cannot update to Symantec Endpoint Protection 12.1.6 MP4
An alternate option for administrators is to use the Syslog Redirect Protocol and send Symantec Endpoint Protection Syslog events to port 517 on the QRadar system. The Syslog Redirect Protocol allows the Syslog header from the event payload to be substituted with another header to ensure that an IP or hostname can be used to parse the event properly. This protocol works by using a regular expression to generate a new Syslog header, so you have <Syslog Redirect Header><Original SEP Syslog header><Original event payload information>. The event pipeline receives the data with the new header and is able to properly parsed by the QRadar appliance.

NOTE: If you have questions about Syslog Redirect and how this protocol works, you can discuss this protocol in our forums. The image above is a representation and does not include the actual regex or format string values required for a proper workaround for all administrators.


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnfdAAC","label":"QRadar->Events->Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3;7.4","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
01 April 2020