2019-02-04 09:11 AM
Hello,
I have configured Symantec Server to send the logs into external logging: in my log collector. I have done the config in symantec server via management console following the guide. I'm searching into event sources for device.type = 'symantecav'. It's not bringing logs. The port 514 is open. Any idea please ?
In symantec console i have configured the filter for logs such as: client logs: control logs and security log.
2019-02-04 11:37 AM
Tcpdump on the SEP server or the log decoder to make sure that the data is leaving the box and getting to RSA NetWitness.
Also search by device.ip in NetWitness to make sure that the device type you think it should be is being captured (it could be in unknown state and needs a parser enabled on the log decoder for your Symantec device type)