Help - Symantec Enpoint Manager 11.x -> MARS integration
I'm at a loss here. I have raw messages that regardless of whether a keyword rule is created to handle them or a custom parser. No matter what MARS simply ignores the messages as parsing errors. MARS has built in support for Symantec AV 10 and lower but nothing for version 11. Is this going to change in the near future and has anyone else run into this problem and been able to create a customer parser to deal with the messages (specifically Virus Found alerts coming from the endpoint manager).
Here is an expample of the actual text I am trying to work with.....
Parsing error or event type unknown: <54>Sep 26 00:37:22 SymantecServer HOSTNAME123: Virus found,Computer name: HOSTNAME123,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:/Documents and Settings/XXXXXX/Desktop/eicar_com.txt,"",Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2008-09-26 00:32:54,Inserted: 2008-09-26 00:37:22,End: 2008-09-26 00:32:54,Domain: XXX.local,Group: Global\Sec Servers,Server: HOSTNAME123,User: XXXXXXXX,Source computer: ,Source IP: 0.0.0.0
Re: Help - Symantec Enpoint Manager 11.x -> MARS integration
I see a previous post that summed it up. There is no support for SEP 11.x in CS-MARS... This is very disappointing. If anyone has any information on making this work via a custom parser please post a reply. I an many others would be most grateful.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...