Educause Security Discussion mailing list archives
Symantec SEP, SEM and IP address
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Wed, 17 Nov 2010 16:24:22 -0500
We have recently started using a SEM for collecting and correlating a variety of event logs. We've run into a problem with the fact that Symantec Endpoint Protection's management server does not log the client IP address in virus detection events, preventing us from properly correlating them to the source and to other events. So far, I haven't received much traction with Symantec on getting this fixed, so I have created an "idea" for this feature on their support site here: http://www.symantec.com/connect/idea/include-client-ip-address-virus-detecti on-event-logs As far as I can tell, the SEP management server tracks system information and virus alerts in different tables that are linked by the computer's NetBIOS name (or perhaps an assigned database key that isn't visible in the GUI). It tracks the last known IP address in the system table, but does not track the IP address held by the client at the time each virus was detected. This information is particularly important for SEM correlation or building out incident timelines. If you share this frustration with SEP logs, please log in and bump the idea to get some attention. Thanks, Brad Judy Emory University
Current thread:
- Symantec SEP, SEM and IP address Brad Judy (Nov 17)
- Re: Symantec SEP, SEM and IP address Eric C. Lukens (Nov 17)
- Re: Symantec SEP, SEM and IP address Brad Judy (Nov 18)
- Re: Symantec SEP, SEM and IP address Eric C. Lukens (Nov 17)