Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, and servers in your network against malware, risks, and vulnerabilities. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your client computers against known and unknown threats, such as viruses, worms, Trojan horses, and adware. Symantec Endpoint Protection provides protection against even the most sophisticated attacks that evade traditional security measures, such as rootkits, zero-day attacks, and spyware that mutates.
This integration enriches and ingests the following logs from Symantec Endpoint Protection:
Audit logs: Record changes to policies such as policy updates, policy assignments, and more.
Risk logs: Track and record potential security risks detected on endpoints, including malware, vulnerabilities, and suspicious activities.
Scan logs: Record the results of antivirus scans, including detected malware, scan settings, and user information.
System logs: Record all administrative activities, client activities, server activities and client_server activities.
Security logs: Record security-related events, including attacks, compliance, and device control.
Application control logs: Record events related to application control, such as blocked or allowed applications.
Traffic logs: Record network traffic events, including incoming and outgoing connections, protocols, and ports.
You can also visualize detailed insights into the above-mentioned logs with the out-of-the-box dashboards. Once you’ve installed the integration, you can find the dashboards by searching for “symantec-endpoint-protection” in the dashboards list.
To install the Symantec Endpoint Protection integration, run the following Agent installation command and the steps below. For more information, see the Integration Management documentation.
Note: This step is not necessary for Agent version >= 7.52.0.
If you see the Port <PORT-NO> Already in Use error, see the following instructions. The example below is for PORT-NO = 514:
On systems using Syslog, if the Agent listens for Cisco Secure Firewall logs on port 514, the following error can appear in the Agent logs: Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use.
This error occurs because by default, Syslog listens on port 514. To resolve this error, take one of the following steps:
Disable Syslog.
Configure the Agent to listen on a different, available port.