UDLA - Symantec EP
Symantec Endpoint Protection is an endpoint security solution created through a layered approach to defense. With unique, layered technology, it detects and removes more malware than any other product in its class. Derived from Symantec’s global intelligence network, Symantec Endpoint Protection's unique Insight and SONAR technologies enable faster scan, more accurate detection, and higher performance while utilizing fewer resources. With single management console, Symantec Endpoint Protection provides advance protection across multiple platforms both physical and virtual.
Prerequisites
Symantec Endpoint Protection can be configured to store its event logs in a Microsoft SQL database. Collection from a Microsoft SQL database requires:
- Universal Database Log Adapter (UDLA) Log Source
- A LogRhythm Agent to collect the logs
- Access to the Microsoft SQL database that Symantec Endpoint Protection uses for storing event logs
Before you begin the configuration procedure, identify the LogRhythm System Monitor Agent that will be used to collect the logs from Symantec Endpoint Protection.
Configure Symantec Endpoint Protection
Make available an account that the LogRhythm Agent will use to access the Microsoft SQL database. We recommend using or creating an account that has read-only access into the tables required for collection.
Configure the ODBC Driver for Symantec™ Endpoint Protection (SEP)
LogRhythm accesses Symantec Endpoint Protection logs via an ODBC driver. Before configuring the UDLA log source in LogRhythm, the recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.
- Name. SQL Server
- Company Name. Microsoft Corporation
- Version. 2000.85.1132.00
- Date. 4/13/2008
- Download Location. Pre-installed
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. You must use a LogRhythm System Monitor to collect the logs. The System Monitor does not need to reside on the Symantec Endpoint Protection server, but it must be able to establish a network ODBC (Open Database Connectivity) connection.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the Symantec Endpoint Protection XML Configuration File. You will import this file later to populate the UDLA configuration fields for the Log Source.
- The connection string values need to be modified to your customer-specific information.
- All sem5 placeholders need to be replaced with your database name.
The name of the log message source is UDLA – Symantec SEP. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
In the Connection String box, you will need to replace {DSN} with the Symantec Endpoint Protection data source name.
- If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly. - When the test passes, close the Test dialog box.