Help - Symantec Enpoint Manager 11.x -> MARS integration

Unanswered Question
Sep 29th, 2008
User Badges:

I'm at a loss here. I have raw messages that regardless of whether a keyword rule is created to handle them or a custom parser. No matter what MARS simply ignores the messages as parsing errors. MARS has built in support for Symantec AV 10 and lower but nothing for version 11. Is this going to change in the near future and has anyone else run into this problem and been able to create a customer parser to deal with the messages (specifically Virus Found alerts coming from the endpoint manager).


Here is an expample of the actual text I am trying to work with.....


Parsing error or event type unknown: <54>Sep 26 00:37:22 SymantecServer HOSTNAME123: Virus found,Computer name: HOSTNAME123,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:/Documents and Settings/XXXXXX/Desktop/eicar_com.txt,"",Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2008-09-26 00:32:54,Inserted: 2008-09-26 00:37:22,End: 2008-09-26 00:32:54,Domain: XXX.local,Group: Global\Sec Servers,Server: HOSTNAME123,User: XXXXXXXX,Source computer: ,Source IP: 0.0.0.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
chohman10a Mon, 09/29/2008 - 18:00
User Badges:

I see a previous post that summed it up. There is no support for SEP 11.x in CS-MARS... This is very disappointing. If anyone has any information on making this work via a custom parser please post a reply. I an many others would be most grateful.

Actions

This Discussion