search cancel

Endpoint Activity Recorder Logs are not searchable in EDR console

book

Article ID: 214246

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

You are unable to locate the Endpoint Activity Recorder Logs you enabled in the EDR (Symantec Endpoint Detection and Response) web console. 

Additional  recorder rules were configured in EDR and you cannot search these logs/events in the EDR online console.  When searching the client groups where these rules are enabled in SEP (Symantec Endpoint Protection) you find that the endpoints are enrolled and reporting to EDR, but when you search for a machine you do not find any of the extra logs that could have been captured by EDR.  Your search results may return "no results found."

Cause

The netstat event recording checkbox in the Endpoint Activity Recorder configuration is just a recording setting and not a forwarder setting.  That means events you are recording will be recorded in the SEP local database.  They will not be forwarded.

Resolution

This behavior is by design.  Please note that it is also by design that requesting a full dump sends all recorded events in the local database to EDR where they can then be reviewed.

How do I find and identify Endpoint Activity Recorder logs in EDR?

When performing an endpoint search or a process dump EDR will search across all events recorded in the local database that match the search criteria.  Since that space is limited by your configuration of the endpoint database size it may not include the events you are searching for.

A full dump by design sends everything recorded in the local database to EDR.

Look for Search query syntax in the EDR documentation:

  1. Tech Docs Portal
  2. Search for Endpoint Detection and Response
  3. You will be taken to the latest EDR version's documentation.
  4. In the Search this product field search for Search query syntax
  5. See also Retrieving endpoint activity recorder information and About endpoint activity recorder full dump results in the EDR documentation for more information on retrieving recorded events.

How can I identify netstat events that have occurred?

  1. Option A: An SSH session is an example of a netstat event that could be recorded by the endpoint.  If you are searching for events generated by an SSH session you can use the following terms to perform your search.  Go to the Search > Database > Events page.

    Example:

    type_id: 8007 AND putty



    NOTE:
     Your search results may vary depending the configuration of your environment and how endpoints are used in your environment. 

  2. Option B: How to perform a full dump:
    1. A full dump can only be requested for one endpoint at a time in the EDR web interface.
    2. Go to Search > Database > Entities > Show Filters > Entity > Endpoint.  Select the desired endpoint from the list.
    3. You may also search for a specific endpoint by typing the device_name: desktop-abc123 in the Entity Search field on the Search > Database > Entities page. 

      Example:


       
    4. Click on the device name.
    5. On the endpoint page click on full dump.

      Example:

Attachments