1 of 1 people found this helpful
Syslog Servers have a number of Syslog Message Facilities and each facility has a name and number associated with it (as indicated from the list below). Most products allow you to specify the facility by name i.e. local0, local1 etc. However there are a number of products, such as Symantec Endpoint Protection that use the number associated with the facility instead of the name. So if you use the list below as a guide and configured SEP with 22 for the logging facility you will want to configure the Symantec Endpoint Protection connector within LEM with the /var/log/local6.log Log File path.
The list of Facilities available:
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)
Hopefully this helps clarify things and doesn’t cause additional confusion.
And to answer the second part of your question, no, you will not need to configure multiple Symantec Endpoint Protection connectors as the single connector configured to read from /var/log/local6.log will read the logs checked in Step 7 of “To configure Symantec Endpoint Protection to log to your LEM appliance” section of our KB article.
So, following that guide... I was on SEP Manager, the central mgmt console... went to admin, and I'm not seeing a server entry.
When i go the SEP client... I'm not seeing an Admin entry to even start....
Has this changed in SEP 12?
I wouldn't put it past Symantec to change things, this was the first iteration of their syslog stuff. You'd be the first mention of it and we know we have other SEP customers.
Here's what I found for SEP and syslog in the Symantec KB, which seems to match up with the instructions we have, but is phrased a little differently: http://www.symantec.com/business/support/index?page=content&id=HOWTO55417&actp=search&viewlocale=en_US&searchid=1345045315966
The KB claims to be accurate to that version (12.1), I found a different but seemingly identical article for 11.x.
Wow, that's not helpful at all (the doc vs. the UI, I mean - the screenshot WAS helpful).
- Is there an installed console on the AV server by chance that they could be referring to? (Some AV vendors do both, a fat client install and then the web client you can access from anywhere)
- The documentation lies. I'd look in "Monitors" and "Reports" and see if you can find anything related to syslog/logging by chance.
Wish I could help more specifically, I couldn't find ANYTHING in their documentation. There doesn't seem to be a manual-manual, just targeted guides (Enterprise Support - Symantec Corp. - Documentation), and if the KB/HowTos aren't accurate I'm not sure what we CAN trust.
This is all I get. I inherited this install so I'm not sure what options there were for management consoles. I can say I've only done previous versions of SEP so perhaps v12.1 only allows the web console...which really isn't a web console...it's a webpage that seems to RDP or something in the browser window... its very odd.
For kicks I tried the mgmt Server wizard again.... All it allows you to do is reconfigure the network ports, change the database name if you want to...
Nothing there about server/syslog configuration.
Perhaps its b/c we don't use the embedded database but a SQL Server back-end?
The fix for me was to remove the account I was using in SEPM, add it back. that got the server and domain tabs back.
I've now made the changes to SEPM but I'm still debugging freezing issues with 5.4.