Requirement -> Symantec Scan Engine needs to run on Windows. (this does not work if you are running SSE on Linux/Solaris
Enable Scan Engine to write to Windows event log and disable the SSIM login via the web interface (set it to information):
If you open the Windows Event log, you should now see event from the Scan Engine written to the application log:
2 options to collect the Windows Event log from Windows:
- Remotely -> Configuring a sensor on another Windows machine to access the log of the Scan Engine machine
- Locally -> Install a SSIM Event Agent (+Windows Event Collector) on the Scan Engine machine
Note: In the Sensor configuration, if you only want to collect events from Scan Engine and not from the rest of Windows you can apply a filter:
If you want to run large queries only on these type of source you might want to update the indexing by adding the "Windows Event Source".