Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help - Symantec Enpoint Manager 11.x -> MARS integration

I'm at a loss here. I have raw messages that regardless of whether a keyword rule is created to handle them or a custom parser. No matter what MARS simply ignores the messages as parsing errors. MARS has built in support for Symantec AV 10 and lower but nothing for version 11. Is this going to change in the near future and has anyone else run into this problem and been able to create a customer parser to deal with the messages (specifically Virus Found alerts coming from the endpoint manager).

Here is an expample of the actual text I am trying to work with.....

Parsing error or event type unknown: <54>Sep 26 00:37:22 SymantecServer HOSTNAME123: Virus found,Computer name: HOSTNAME123,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:/Documents and Settings/XXXXXX/Desktop/eicar_com.txt,"",Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2008-09-26 00:32:54,Inserted: 2008-09-26 00:37:22,End: 2008-09-26 00:32:54,Domain: XXX.local,Group: Global\Sec Servers,Server: HOSTNAME123,User: XXXXXXXX,Source computer: ,Source IP:

New Member

Re: Help - Symantec Enpoint Manager 11.x -> MARS integration

I see a previous post that summed it up. There is no support for SEP 11.x in CS-MARS... This is very disappointing. If anyone has any information on making this work via a custom parser please post a reply. I an many others would be most grateful.