Collect Symantec Endpoint Protection logs

Supported in:

This document explains how to ingest Symantec Endpoint Protection logs to Google Security Operations using Bindplane. The parser processes logs in SYSLOG or KV format, first extracting timestamps from various formats within the log data. Then, it utilizes a separate configuration file (sep_pt2.include) to perform further parsing and structuring of the log events, ensuring successful processing only if the initial timestamp extraction is successful.

Before you begin

Ensure that you have the following prerequisites:

  • Google SecOps instance
  • Windows 2016 or later or Linux host with systemd
  • If running behind a proxy, firewall ports are open
  • Privileged access to the Symantec Endpoint Protection platform

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult the installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:
    • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    • Open the file using a text editor (for example, nano, vi, or Notepad).

  2. Edit the config.yaml file as follows:

    receivers:
    udplog:
        # Replace the port and IP address as required
        listen_address: `0.0.0.0:514`

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the path to the credentials file you downloaded in Step 1
        creds: '/path/to/ingestion-authentication-file.json'
        # Replace with your actual customer ID from Step 2
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # Add optional ingestion labels for better organization
        ingestion_labels:
            log_type: 'CES'
            raw_log_field: body

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - udplog
            exporters:
                - chronicle/chronicle_w_labels

  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent

  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command: 

    net stop BindPlaneAgent && net start BindPlaneAgent

Configure Syslog in Symantec Endpoint Protection

  1. Sign in to your Symantec Endpoint Protection Manager web UI.
  2. Click the Admin icon.
  3. Locate the View Servers section, and click Servers.
  4. Click Local Site > Configure External Logging.
  5. Select the Enable Transmission of Logs to a Syslog Server checkbox.
  6. Provide the following configuration details:
    • Syslog Server: Enter the Bindplane IP address.
    • UDP Destination Port: Enter the Bindplane port number (for example, 514 for UDP).
    • Log Facility: Enter Local6.
    • Select the Audit Logs checkbox.
    • Select the Security Logs checkbox.
    • Select the Risks checkbox.
  7. Click OK.

UDM mapping table

Log field UDM mapping Logic
Action security_result.action The value is taken from the Action field in the raw log and mapped to a UDM action.
Action Type security_result.action_details The value is taken from the Action Type field in the raw log.
Admin
Allowed application reason security_result.action_details The value is taken from the Allowed application reason field in the raw log.
Application principal.process.command_line The value is taken from the Application field in the raw log.
Application hash target.file.sha256 The value is taken from the Application hash field in the raw log.
Application name target.application The value is taken from the Application name field in the raw log.
Application type target.resource.attribute.labels.value The value is taken from the Application type field in the raw log. The key is hardcoded to Application Type.
Application version target.application.version The value is taken from the Application version field in the raw log.
Begin
Begin Time extensions.vulns.vulnerabilities.scan_start_time The value is taken from the Begin Time field in the raw log.
Begin: extensions.vulns.vulnerabilities.scan_start_time The value is taken from the Begin: field in the raw log.
Category principal.resource.attribute.labels.value The value is taken from the Category field in the raw log. The key is hardcoded to Category.
Category set security_result.category The value is taken from the Category set field in the raw log and mapped to a UDM category.
Category type security_result.category_details The value is taken from the Category type field in the raw log.
CIDS Signature ID
CIDS Signature string security_result.summary The value is taken from the CIDS Signature string field in the raw log.
CIDS Signature SubID
Client Policy
Command
Computer target.hostname The value is taken from the Computer field in the raw log.
Computer name principal.hostname The value is taken from the Computer name field in the raw log.
Confidence security_result.confidence_details The value is taken from the Confidence field in the raw log.
data
Description security_result.action_details The value is taken from the Description field in the raw log.
Description: security_result.action_details The value is taken from the Description: field in the raw log.
Detection score
Detection Submissions No
Detection type security_result.summary The value is taken from the Detection type field in the raw log.
Device ID target.asset.hostname The value is taken from the Device ID field in the raw log.
Disposition security_result.action The value is taken from the Disposition field in the raw log and mapped to a UDM action.
Domain principal.administrative_domain The value is taken from the Domain field in the raw log.
Domain Name principal.administrative_domain The value is taken from the Domain Name field in the raw log.
Domain Name: principal.administrative_domain The value is taken from the Domain Name: field in the raw log.
Downloaded by principal.process.file.full_path The value is taken from the Downloaded by field in the raw log.
Download site
Duration (seconds) extensions.vulns.vulnerabilities.scan_end_time The value is taken from the Duration (seconds) field in the raw log and added to the scan start time.
End
End Time extensions.vulns.vulnerabilities.scan_end_time The value is taken from the End Time field in the raw log.
End Time: extensions.vulns.vulnerabilities.scan_end_time The value is taken from the End Time: field in the raw log.
End: extensions.vulns.vulnerabilities.scan_end_time The value is taken from the End: field in the raw log.
Event Description metadata.description The value is taken from the Event Description field in the raw log.
Event Description: metadata.description The value is taken from the Event Description: field in the raw log.
Event Insert Time
Event time metadata.event_timestamp The value is taken from the Event time field in the raw log.
Event time: metadata.event_timestamp The value is taken from the Event time: field in the raw log.
Event Type metadata.product_event_type The value is taken from the Event Type field in the raw log.
Event Type: metadata.product_event_type The value is taken from the Event Type: field in the raw log.
File path target.file.full_path The value is taken from the File path field in the raw log.
File path: target.file.full_path The value is taken from the File path: field in the raw log.
File size (bytes) target.file.size The value is taken from the File size (bytes) field in the raw log.
First Seen security_result.action_details The value is taken from the First Seen field in the raw log.
First Seen: security_result.action_details The value is taken from the First Seen: field in the raw log.
Group principal.group.group_display_name The value is taken from the Group field in the raw log.
Group Name principal.group.group_display_name The value is taken from the Group Name field in the raw log.
Group Name: principal.group.group_display_name The value is taken from the Group Name: field in the raw log.
Hash type target.resource.attribute.labels.value The value is taken from the Hash type field in the raw log. The key is hardcoded to Hash Type.
Intensive Protection Level
Intrusion ID
Intrusion Payload URL
Intrusion URL
IP Address principal.ip The value is taken from the IP Address field in the raw log.
IP Address: principal.ip The value is taken from the IP Address: field in the raw log.
Last update time
Local Host principal.ip The value is taken from the Local Host field in the raw log.
Local Host IP principal.ip The value is taken from the Local Host IP field in the raw log.
Local Host MAC principal.mac The value is taken from the Local Host MAC field in the raw log.
Local Port principal.port The value is taken from the Local Port field in the raw log.
Location
MD-5
Occurrences security_result.about.resource.attribute.labels.value The value is taken from the Occurrences field in the raw log. The key is hardcoded to Occurrences.
Permitted application reason security_result.action_details The value is taken from the Permitted application reason field in the raw log.
Prevalence security_result.description The value is taken from the Prevalence field in the raw log.
Remote path target.file.full_path The value is taken from the Remote file path field in the raw log.
Remote Host IP target.ip The value is taken from the Remote Host IP field in the raw log.
Remote Host MAC target.mac The value is taken from the Remote Host MAC field in the raw log.
Remote Hostname target.hostname The value is taken from the Remote Host Name field in the raw log.
Remote Port target.port The value is taken from the Remote Port field in the raw log.
Requested action security_result.action The value is taken from the Requested action field in the raw log and mapped to a UDM action.
Risk Level security_result.severity The value is taken from the Risk Level field in the raw log and mapped to a UDM severity.
Risk name security_result.threat_name The value is taken from the Risk name field in the raw log.
Risk type security_result.detection_fields.value The value is taken from the Risk type field in the raw log. The key is hardcoded to Risk Type.
Rule principal.resource.name The value is taken from the Rule field in the raw log.
Rule: principal.resource.name The value is taken from the Rule: field in the raw log.
Scan ID extensions.vulns.vulnerabilities.name The value is taken from the Scan ID field in the raw log.
Scan ID: extensions.vulns.vulnerabilities.name The value is taken from the Scan ID: field in the raw log.
Scan Type
Secondary action target.resource.attribute.labels.value The value is taken from the Secondary action field in the raw log. The key is hardcoded to Secondary action.
Security risk found metadata.description The value is taken from the Security risk found field in the raw log.
Server intermediary.hostname The value is taken from the Server field in the raw log.
Server Name intermediary.hostname The value is taken from the Server Name field in the raw log.
Server Name: intermediary.hostname The value is taken from the Server Name: field in the raw log.
SHA-256 principal.process.file.sha256 The value is taken from the SHA-256 field in the raw log.
Site additional.fields.value.string_value The value is taken from the Site field in the raw log. The key is hardcoded to Site Name.
Site Name additional.fields.value.string_value The value is taken from the Site Name field in the raw log. The key is hardcoded to Site Name.
Site: additional.fields.value.string_value The value is taken from the Site: field in the raw log. The key is hardcoded to Site Name.
Source metadata.product_event_type The value is taken from the Source field in the raw log and appended to the hardcoded string Security risk found -.
Source computer
Source computer:
Source IP
Source IP:
Source: metadata.product_event_type The value is taken from the Source: field in the raw log and appended to the hardcoded string Security risk found -.
ts metadata.event_timestamp The value is taken from the ts field in the raw log.
URL Tracking Status
User principal.user.userid The value is taken from the User field in the raw log.
User Name principal.user.userid The value is taken from the User Name field in the raw log.
User Name: principal.user.userid The value is taken from the User Name: field in the raw log.
Web domain
metadata.description If the raw log contains the string The client has downloaded the description is set to The client has downloaded {target file name}. If the raw log contains the string The management server received the description is set to The management server received the client log successfully. Otherwise, the description is set to the value of the Event Description field in the raw log.
metadata.event_type The event type is determined by the parser logic based on the content of the raw log.
metadata.log_type The log type is hardcoded to SEP.
metadata.product_name The product name is hardcoded to SEP.
metadata.vendor_name The vendor name is hardcoded to Symantec.

Changes

2025-01-09

Enhancement:

  • If Actual action value is Left alone, then changed mapping of security_result.action from BLOCK to UNKNOWN_ACTION.
  • Changed mapping of computer from intermediary.hostname to principal.hostname and principal.asset.hostname.
  • Changed mapping of syslogServer from principal.hostname to intermediary.hostname.

2024-12-12

Enhancement:

  • Added a Grok pattern to parse new format of syslog logs.
  • Mapped anvpap-srv1 to intermediary.hostname.
  • Mapped SymantecServer to principal.hostname.
  • Mapped Remote Host Name to target.hostname.
  • Mapped Remote Port to target.port.
  • Mapped Remote Host IP to target.ip.
  • Mapped Local Port to principal.port.
  • Mapped Remote Host MAC to principal.mac.
  • Mapped ICMP to network.ip_protocol.
  • Mapped Inbound to network.direction.
  • Mapped Application to principal.process.file.full_path.
  • Mapped Rule to security_result.rule_name.
  • Mapped Action to security_result.action.
  • Mapped SHA-256 to principal.process.file.sha256.

2024-11-21

Enhancement:

  • Added gsub to parse new pattern of logs.
  • Added a Grok pattern to event_description to parse the fields.
  • Mapped File to principal.process.file.full_path.
  • Mapped Size to principal.process.file.size.

2024-11-07

Enhancement:

  • Mapped SITE_NAME and SOURCE to additional.fields.
  • Mapped SOURCE to security_result.description.

2024-10-25

Enhancement:

  • Mapped SCAN_ID, CATEGORY_DESC, CLIENT_TYPE, DETECTION_TYPE, HELP_VIRUS_IDX, HPP_APP_TYPE, IDX, LAST_LOG_SESSION_GUID, SITE_TYPE, UUID, VBIN_ID, and VIRUS_TYPE to additional.fields.
  • Mapped USER_DOMAIN_NAME to target.administrative_domain.
  • Mapped COMPUTER_DOMAIN_NAME to principal.administrative_domain.
  • Mapped IP_ADDR1 to src.ip.
  • Mapped SOURCE_COMPUTER_NAME to src.asset.hostname and src.hostname.
  • Mapped COMPUTER_NAME to principal.asset.hostname and principal.hostname.
  • Mapped OPERATION_SYSTEM to principal.asset.platform_software.platform.
  • Mapped SERVICE_PACK to principal.asset.platform_software.platform_version.
  • Mapped SOURCE_COMPUTER_IP to principal.ip and principal.asset.ip.
  • Mapped ALERT to metadata.product_event_type.
  • Mapped USER_NAME to principal.user.userid.
  • Mapped BIOS_SERIALNUMBER to principal.asset.hardware.serial_number.
  • Mapped ACTUALACTION to security_result.action_details.
  • Mapped VIRUSNAME to security_result.threat_name.
  • Mapped NOOFVIRUSES to security_result.verdict_info.malicious_count.
  • Mapped SOURCE, DESCRIPTION, REQUESTEDACTION to security_result.detection_fields.
  • Mapped CLIENT_GROUP to principal.group.group_display_name.
  • Mapped downloader to principal.process.file.full_path.

2024-10-24

Enhancement:

  • Added support to parse logs with logType as IPS, Network Intrusion Protection System, REP, Memory Exploit Mitigation System, and NTR.

2024-10-08

Enhancement:

  • Added support for new format of syslog logs.

2024-09-23

Enhancement:

  • Changed mapping of rule_name from principal.resource.name to security_result.rule_name.
  • Removed mapping of principal.resource.resource_type as FIREWALL_RULE.
  • Changed mapping of security_result.category from ACL_VIOLATION to UNKNOWN_CATEGORY.

2024-09-11

Enhancement:

  • Added support for array-type logs.

2024-08-08

Enhancement:

  • Mapped REQUESTEDACTION to security_result.action_details.
  • Mapped SECONDARYACTION, ACTUALACTION, VIRUSNAME, and NOOFVIRUSES to security_result.detection_fields.
  • Mapped SOURCE to additional.fields.
  • Mapped HPP_APP_HASH to target.file.sha256.
  • Mapped HPP_APP_NAME to target.file.names.
  • Mapped FILEPATH to target.file.full_path.
  • Mapped CLIENT_GROUP to target.user.group_identifiers.

2024-06-07

Enhancement:

  • Added Support for KV format logs.

2024-05-27

Enhancement:

  • Mapped target_file_name from target.file.full_path to target.file.names.

2023-11-28

Bug fix:

  • When event_time present, mapped the same to datetime.

2023-11-08

Bug fix:

  • Removed mapping of ServerName to target.asset.hostname and mapped it to intermediary.hostname.
  • When Actualaction is Cleaned, then mapped security_result.action to BLOCK and is_significant to false.
  • Added Grok pattern to parse the unparsed logs with varying patterns.
  • Mapped type, utility-sub-type, lang, service-sandbox-type, mojo-platform-channel-handle, field-trial-handle, disable-features to security_result.detection_fields.
  • Mapped target_arguments to read_only_udm.additional.fields.
  • Mapped user-data-dir to sec_result.about.file.full_path.
  • Mapped security-realm to security_result.summary.
  • Mapped startup-url to principal.url.
  • Mapped source_ip to target.ip.
  • Mapped action_word to security_result.action_details.

2023-10-12

Bug fix:

  • Added Grok pattern to parse the unparsed logs with varying patterns.

2023-04-21

Bug fix:

  • Changed intermediate variable names in the include files.
  • Mapped security_result.rule_name for File related events.

2023-04-10

Enhancement:

  • Handled the dropped logs with the logType File Read, File Write, File Delete, or Registry Write.
  • Mapped payload.domain_name to principal.administrative_domain.
  • Added null check for payload.device_id and event_description.

2023-01-21

Enhancement:

  • Added conditional check for targetComputerName,event_description1.
  • Added on_error check for file_full_path,GroupName,ServerName.
  • Mapped Applicationtype to principal.resource.attribute.labels.
  • Mapped mail to target.user.email_addresses.
  • Mapped server_name_1 to principal.hostname.
  • For logtype SEC:
  • Mapped computer to principal.hostname.
  • Mapped syslogServer to intermediary.hostname.
  • Mapped event_description to metadata.description.
  • Added for loop for the logtype SONAR,CVE,SEC.

2022-11-24

Enhancement:

  • Added Grok pattern to parse logs containing SONAR detection now allowed.

2022-11-15

Enhancement:

  • Added Grok pattern to parse failed logs of type Virus Found and SONAR Scan.
  • Added conditional check for Categorytype.

2022-10-25

Enhancement:

  • Mapped EventDescription to metadata.description.
  • Mapped LocalHostIP,IPAddress,source_ip to principal.ip.
  • Mapped LocalHostMAC to principal.mac.
  • Mapped computer to principal.hostname
  • Mapped guid to principal.asset.asset_id.
  • Mapped DeviceID to principal.resource.product_object_id.
  • Mapped Filesize to target.file.size.
  • Mapped SHA256 to target.file.sha256.
  • Mapped User1 to principal.user.userid.
  • Mapped file_path to target.file.full_path.
  • Mapped GroupName to principal.group.group_display_name.
  • Mapped action_word to security_result.action_details.
  • Mapped Begin to vulnerabilities.scan_start_time.
  • Mapped EndTime to vulnerabilities.scan_end_time.
  • Mapped ScanID to principal.process.product_specific_process_id.
  • Mapped inter_host to intermediary.hostname.
  • Mapped inter_ip to intermediary.ip.
  • Mapped ActionType to additional.fields.
  • Mapped Rule to security_result.rule_name.

2022-10-10

Enhancement:

  • Mapped category to security_result.category_details.
  • Mapped CIDS Signature ID to target.resource.attribute.labels.
  • Mapped CIDS Signature SubID to target.resource.attribute.labels.
  • Mapped CIDS Signature string to target.resource.attribute.labels.
  • Mapped Intrusion URL to principal.url.
  • Mapped User Name to principal.user.userid.
  • Mapped Actual action to security_result.action_details.
  • Mapped Application hash to target.file.sha256.
  • Mapped Application name to target.application.
  • Mapped Application type to target.resource.attribute.labels.
  • Mapped Certificate issuer to network.tls.server.certificate.issuer.
  • Mapped Certificate serial number to network.tls.server.certificate.serial.
  • Mapped Certificate signer to network.tls.server.certificate.subject.
  • Mapped Certificate thumbprint to network.tls.server.certificate.sha256.
  • Mapped Secondary action to target.resource.attribute.labels.
  • Mapped First Seen to security_result.detection_fields.
  • Mapped Risk Name to security_result.detection_fields.
  • Mapped Risk Type to security_result.detection_fields.
  • Mapped Permitted application reason to security_result.detection_fields.
  • Mapped Company name to target.user.company_name.
  • Mapped Computer name to principal.hostname.
  • Mapped Server Name to principal.asset.network_domain.
  • Mapped Confidence to security_result.description.
  • Mapped Detection Type to security_result.summary.
  • Mapped Group Name to principal.group.group_display_name.
  • Mapped Risk Level to security_result.severity_details.
  • Mapped File size (bytes) to target.file.size.

2022-09-21

Enhancement:

  • Migrated custom parsers to default parser.

2022-08-12

Enhancement:

  • Modified Grok pattern to parse the logs.
  • Handled the dropped logs and mapped them to valid event_types.
  • Dropped logs had following logType, which are now handled: REP, SubmissionsMan, SYLINK, IPS, SONAR, SEC, CVE, LiveUpdate Manager; Messages related to definition updates, Antivirus detection submission.
  • New conditions msg1 containing Create Process|GUP|RebootManager|Smc|WSS|Network Intrusion|Mitigation System are handled.
  • event_description containing client-server activity logs|Got a valid certificate.|Replication .*from remote site|The database|received the client log successfully.
  • Added new code block to handle the logType REP,SONAR,CVE,GUP,Smc,WSS made them parse.
  • Changed event type from GENERIC_EVENT to STATUS_UPDATE, USER_UNCATEGORIZED, NETWORK_CONNECTION, STATUS_UNCATEGORIZED wherever possible.
  • Mapped eventDescription to metadata.description.
  • Mapped hostName to principal.hostname.
  • Mapped machineDomainName to principal.administrative_domain.
  • Mapped domainName to target.administrative_domain.
  • Mapped serverName to intermediary.hostname.
  • Mapped userName to principal.user.userid.
  • Mapped siteName to read_only_udm.additional.fields.

2022-07-26

Enhancement:

  • for the logs that has messageTmp as Site mapped the following fields:
  • Mapped eventDescription to metadata.description.
  • Mapped hostName to target.hostname.
  • Mapped machineDomainName to target.administrative_domain.
  • Mapped domainName to principal.administrative_domain.
  • Mapped serverName to principal.hostname.
  • Mapped userName to principal.user.userid.
  • Mapped siteName to read_only_udm.additional.fields.

2022-05-11

Enhancement:

  • Parsed Event Timestamp log entries with the format yyyy-MM-dd HH:mm:ss.

Need more help? Get answers from Community members and Google SecOps professionals.