How to collect Symantec Scan Engine log using the Windows Event Collector for SSIM

book

Article ID: 177698

calendar_today

Updated On:

Products

Scan Engine Security Information Manager

Issue/Introduction

You want to use the Windows event collector to collect logs from Scan Engine instead of the native integration.

Resolution

Requirement -> Symantec Scan Engine needs to run on Windows. (this does not work if you are running SSE on Linux/Solaris

Enable Scan Engine to write to Windows event log and disable the SSIM login via the web interface (set it to information):




If you open the Windows Event log, you should now see event from the Scan Engine written to the application log:



2 options to collect the Windows Event log from Windows:
  • Remotely -> Configuring a sensor on another Windows machine to access the log of the Scan Engine machine
  • Locally -> Install a SSIM Event Agent (+Windows Event Collector) on the Scan Engine machine


Note: In the Sensor configuration, if you only want to collect events from Scan Engine and not from the rest of Windows you can apply a filter:





If you want to run large queries only on these type of source you might want to update the indexing by adding the "Windows Event Source".




Attachments