How to collect Symantec Scan Engine log using the Windows Event Collector for SSIM
Article ID: 177698
Updated On:
Products
Scan Engine
Security Information Manager
Issue/Introduction
You want to use the Windows event collector to collect logs from Scan Engine instead of the native integration.
Resolution
Requirement -> Symantec Scan Engine needs to run on Windows. (this does not work if you are running SSE on Linux/Solaris
Enable Scan Engine to write to Windows event log and disable the SSIM login via the web interface (set it to information):
If you open the Windows Event log, you should now see event from the Scan Engine written to the application log:
2 options to collect the Windows Event log from Windows:
Note: In the Sensor configuration, if you only want to collect events from Scan Engine and not from the rest of Windows you can apply a filter:
If you want to run large queries only on these type of source you might want to update the indexing by adding the "Windows Event Source".
Enable Scan Engine to write to Windows event log and disable the SSIM login via the web interface (set it to information):
If you open the Windows Event log, you should now see event from the Scan Engine written to the application log:
2 options to collect the Windows Event log from Windows:
- Remotely -> Configuring a sensor on another Windows machine to access the log of the Scan Engine machine
- Locally -> Install a SSIM Event Agent (+Windows Event Collector) on the Scan Engine machine
Note: In the Sensor configuration, if you only want to collect events from Scan Engine and not from the rest of Windows you can apply a filter:
If you want to run large queries only on these type of source you might want to update the indexing by adding the "Windows Event Source".
Feedback
Yes
No
Powered by
