ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Why is Symantec EDR forwarding data to the old Syslog server?

book

Article ID: 227972

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

A new syslog server has been setup and configured for use in EDR (SEDR), but EDR is forwarding data to the old server still.

Cause

The license for EDR expired and it was not renewed immediately.  EDR normally would automatically register the new license, but if there is a network device or configuration that blocks communication with the backend server this automated process cannot occur.  A firewall or a proxy could have this effect on an EDR appliance's behavior.  You may find that the license registration has failed as a result of one or both of these being configured incorrectly in your environment.

Environment

Release : 4.6.0

Network based firewall or proxy server

Resolution

  1. Verify there is a connection to the register.brightmail.com server from the EDR appliance:
    1. status_check
      1. This command should verify the status of EDR's connection to Symantec servers including the registration server.
    2. nslookup register.brightmail.com
      1. DNS should resolve the server's hostname (static) to an IP address (dynamic).
    3. tcp_check -s register.brightmail.com -p 443
      1. You can also use a -v for verbose output with tcp_check.  What you are looking for is a successful validation of the certificate being used.
  2. If there is no connection to the Symantec servers please address this issue first before proceeding.  
    1. In the EDR documentation search for Required firewall ports and verify your firewall allows all the appropriate addresses and ports.
    2. If you have a proxy configured between EDR and the internet please review Proxy recommendations and ensure the proxy server allows EDR traffic to the Symantec servers.
  3. Verify whether or not the license has been registered, please contact support to assist with this since this log file is not viewable to the admin account in EDR.
  4. If the license is not registered support will need to run a command to manually trigger the registration process after confirming that communication with Symantec servers is possible.
  5. Remove the configuration for all syslog servers.
  6. Re-configure the syslog server to be used.
    1. Please ensure that you have correctly configured the settings for your appliance.  Is it using 'default' appliance settings?  See 
      About Symantec EDR appliance configuration options in the EDR documentation.  Alternatively, you can select an EDR appliance in the Settings > Appliances list and configure it without using default appliance settings.

Additional Information

What difference is there between an EDR appliance's 'enterprise proxy' and 'network proxy?'

  • The 'enterprise proxy' is a configuration related to SEDR (ATP) Network Scanner functionality.  This is used to tell where the proxy server exists in a network topology when the scanner is configured for inspecting network traffic.
  • A 'network proxy' is configured on an EDR management appliance.  This is so that EDR knows a proxy is being used when establishing communication with Symantec servers (i.e. license registration and liveupdate). 

In this situation a 'network proxy' should be configured and not an 'enterprise proxy' unless an enterprise proxy (or proxies) exist in your environment also.  These should not be the same address.

Attachments