How to collect Symantec Scan Engine log using the Windows Event Collector for SSIM


Article ID: 177698


Updated On:


Scan Engine Security Information Manager


You want to use the Windows event collector to collect logs from Scan Engine instead of the native integration.


Requirement -> Symantec Scan Engine needs to run on Windows. (this does not work if you are running SSE on Linux/Solaris

Enable Scan Engine to write to Windows event log and disable the SSIM login via the web interface (set it to information):

If you open the Windows Event log, you should now see event from the Scan Engine written to the application log:

2 options to collect the Windows Event log from Windows:
  • Remotely -> Configuring a sensor on another Windows machine to access the log of the Scan Engine machine
  • Locally -> Install a SSIM Event Agent (+Windows Event Collector) on the Scan Engine machine

Note: In the Sensor configuration, if you only want to collect events from Scan Engine and not from the rest of Windows you can apply a filter:

If you want to run large queries only on these type of source you might want to update the indexing by adding the "Windows Event Source".