--- title: Symantec Endpoint Protection description: Gain insights into Symantec Endpoint Protection Logs. breadcrumbs: Docs > Integrations > Symantec Endpoint Protection --- # Symantec Endpoint Protection Supported OS Integration version1.3.0 Symantec Endpoint Protection - OverviewSymantec Endpoint Protection - ScanSymantec Endpoint Protection - RiskSymantec Endpoint Protection - Application ControlSymantec Endpoint Protection - SecuritySymantec Endpoint Protection - SystemSymantec Endpoint Protection - Traffic ## Overview{% #overview %} [Symantec Endpoint Protection](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/what-is-v45096464-d43e1648.html) is a client-server solution that protects laptops, desktops, and servers in your network against malware, risks, and vulnerabilities. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your client computers against known and unknown threats, such as viruses, worms, Trojan horses, and adware. Symantec Endpoint Protection provides protection against even the most sophisticated attacks that evade traditional security measures, such as rootkits, zero-day attacks, and spyware that mutates. This integration enriches and ingests the following logs from Symantec Endpoint Protection: - **Audit logs**: Record changes to policies such as policy updates, policy assignments, and more. - **Risk logs**: Track and record potential security risks detected on endpoints, including malware, vulnerabilities, and suspicious activities. - **Scan logs**: Record the results of antivirus scans, including detected malware, scan settings, and user information. - **System logs**: Record all administrative activities, client activities, server activities and `client_server` activities. - **Security logs**: Record security-related events, including attacks, compliance, and device control. - **Application control logs**: Record events related to application control, such as blocked or allowed applications. - **Traffic logs**: Record network traffic events, including incoming and outgoing connections, protocols, and ports. You can also visualize detailed insights into the above-mentioned logs with the out-of-the-box dashboards. Once you've installed the integration, you can find the dashboards by searching for "symantec-endpoint-protection" in the dashboards list. **Minimum Agent version:** 7.61.0 ## Setup{% #setup %} ### Installation{% #installation %} To install the Symantec Endpoint Protection integration, run the following Agent installation command and the steps below. For more information, see the [Integration Management documentation](https://docs.datadoghq.com/agent/guide/integration-management.md?tab=linux#install). **Note**: This step is not necessary for Agent version >= 7.52.0. Linux command: ```shell sudo -u dd-agent -- datadog-agent integration install datadog-symantec_endpoint_protection==1.0.0 ``` ### Configuration{% #configuration %} #### Log collection{% #log-collection %} 1. Collecting logs is disabled by default in the Datadog Agent. Enable it in `datadog.yaml`: ```yaml logs_enabled: true ``` 1. Add this configuration block to your `symantec_endpoint_protection.d/conf.yaml` file to start collecting your Symantec Endpoint Protection logs. See the [sample symantec_endpoint_protection.d/conf.yaml](https://docs.datadoghq.com/agent/guide/integration-management.md?tab=linux#install) for available configuration options. ```yaml logs: - type: udp port: service: symantec-endpoint-protection source: symantec-endpoint-protection ``` 1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands.md#start-stop-and-restart-the-agent). 1. Configure Syslog Message Forwarding from Symantec Endpoint Protection Server: 1. Log on to your **Symantec Endpoint Protection Server**. 1. Click on **Admin**. 1. Click on **servers** on the **administrative** panel. 1. Select **sites** for which you want to forward logs. 1. Click on **Configure external logging**. 1. Enable Transmission of Logs to a Syslog Server. 1. Provide your **syslog server IP**. 1. Select network protocol as **UDP**. 1. Provide the **PORT** where you want to forward logs. ### Validation{% #validation %} [Run the Agent's status subcommand](https://docs.datadoghq.com/agent/guide/agent-commands.md#agent-status-and-information) and look for `symantec_endpoint_protection` under the Checks section. ## Data Collected{% #data-collected %} ### Logs{% #logs %} The Symantec Endpoint Protection integration collects audit, risk, scan, security, traffic, application control, and system logs. ### Metrics{% #metrics %} The Symantec Endpoint Protection integration does not include any metrics. ### Events{% #events %} The Symantec Endpoint Protection integration does not include any events. ### Service Checks{% #service-checks %} The Symantec Endpoint Protection integration does not include any service checks. ## Troubleshooting{% #troubleshooting %} ### Permission denied while port binding{% #permission-denied-while-port-binding %} If you see a **Permission denied** error while port binding in the Agent logs, see the following instructions: 1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: - Grant access to the port using the `setcap` command: ```shell sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent ``` - Verify the setup is correct by running the `getcap` command: ```shell sudo getcap /opt/datadog-agent/bin/agent/agent ``` With the expected output: ```shell /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep ``` **Note**: Re-run this `setcap` command every time you upgrade the Agent. 1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands.md#start-stop-and-restart-the-agent). ### Data is not being collected{% #data-is-not-being-collected %} Make sure that traffic is bypassed from the configured port if the firewall is enabled. ### Port already in use{% #port-already-in-use %} If you see the **Port Already in Use** error, see the following instructions. The example below is for PORT-NO = 514: On systems using Syslog, if the Agent listens for Cisco Secure Firewall logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: - Disable Syslog. - Configure the Agent to listen on a different, available port. Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).