Symantec Endpoint Protection (SEP) client risk events show the client source IP address as 0.0.0.0 when SEPM risk events are forwarded to an external syslog server.
- IP address of machine that experienced a risk event is exported as 0.0.0.0
- The machine name of the client that forwarded the log event is successfully relayed
The IP address in the exported syslog sever logs is displayed as 0.0.0.0
The source IP address is populated when a remote attack happens to a client machine and it is configured by policy to use the "Risk Tracer" option. Risk Tracer has a dependency with the Intrusion Prevention System's (IPS) feature of "Active Response". Both options must be installed and configured correctly to track the remote attacking machine's IP address on the SEP clients. The Symantec Endpoint Protection Manager (SEPM) server then receives the source IP address forwarded from the SEP client logs. When the SEPM displays the source ip address as 0.0.0.0, that is because the client didn't send the source IP address to SEPM server for various reasons.
The source IP address received in the logs was a NULL value. By design, when the SEPM receives NULL values for this field it will populate with the value 0.0.0.0 so that it is not blank.
This issue has been fixed in Symantec Endpoint Protection 11 Release Update 7 (RU7). For information on how to obtain the latest build of Symantec Endpoint Protection, read TECH 103088: Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x
In RU7 the design was changed that the Symantec Endpoint Protection Manager will display NULL values forwarded to the SEPM as a blank entry. It will no longer populate or substitute with the value of 0.0.0.0.
*Detailed steps to reproduce the issue: