Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
mrosen
Knowledge Partner
Knowledge Partner
‎2015-12-10 13:52
340 views

Problem with Symantec Endpoint Collector distinguishing observers.

Hi.

First things first, this is basically a Problem in Symantecs Product, I
wonder though if there's a workaround on the Sentinel side.

As it is, Symantec Endpoint Protection 12.1, when configured to log to
Sentinel via Syslog incorrectly (in violation of the RFC) sends
"SymantecServer" as the hostname, more precisely they send

"SymantecServer <RealHostname>"

so that if one has multiple such servers, they get lumped together in
Sentinel as one under the name "SymantecServer".

Apart from kicking Symantec in the behind, is there anything I can do in
Sentinel to distinguish the individual observers? Like some logic to
look at the <Realhostname> that it sends, aka ignore the trailing
"Symantecserver " somehow?


CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Reply
4 Replies
brandon-langley
brandon-langley Absent Member.
Absent Member.
‎2015-12-11 02:17

Re: Problem with Symantec Endpoint Collector distinguishing observers.


Massimo Rosen;263160 Wrote:
> Hi.
>
> First things first, this is basically a Problem in Symantecs Product, I
> wonder though if there's a workaround on the Sentinel side.
>
> As it is, Symantec Endpoint Protection 12.1, when configured to log to
> Sentinel via Syslog incorrectly (in violation of the RFC) sends
> "SymantecServer" as the hostname, more precisely they send
>
> "SymantecServer <RealHostname>"
>
> so that if one has multiple such servers, they get lumped together in
> Sentinel as one under the name "SymantecServer".
>
> Apart from kicking Symantec in the behind, is there anything I can do
> in
> Sentinel to distinguish the individual observers? Like some logic to
> look at the <Realhostname> that it sends, aka ignore the trailing
> "Symantecserver " somehow?
>
>
> CU,
> --
> Massimo Rosen
> Novell Knowledge Partner
> No emails please!
> http://www.cfc-it.de

I'm pretty sure the team just took an SR/Bug on this and addressed it.


--
brandon.langley
------------------------------------------------------------------------
brandon.langley's Profile: https://forums.netiq.com/member.php?userid=350
View this thread: https://forums.netiq.com/showthread.php?t=54834

0 Likes
Reply
mrosen
Knowledge Partner
Knowledge Partner
‎2015-12-11 09:44

Re: Problem with Symantec Endpoint Collector distinguishingobservers.

Brandon,

Am 11.12.2015 um 03:17 schrieb brandon.langley:
> I'm pretty sure the team just took an SR/Bug on this and addressed it.

Dang! I should have looked at the preview plugins first.

Thumbs up for having my problem solved proactively. 😉

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Reply
mrosen
Knowledge Partner
Knowledge Partner
‎2015-12-11 09:49

Re: Problem with Symantec Endpoint Collector distinguishingobservers.

Am 11.12.2015 um 10:44 schrieb Massimo Rosen:
> Brandon,
>
> Am 11.12.2015 um 03:17 schrieb brandon.langley:
>> I'm pretty sure the team just took an SR/Bug on this and addressed it.
>
> Dang! I should have looked at the preview plugins first.
>
> Thumbs up for having my problem solved proactively. 😉

Guess I spoke too soon..:( Same problem with the current preview collector.

Another issue with that collector is, that it doesn't automatically
detect the event source as Symantec Endpoint Protection, but puts it
under Universal Event by default, and has to be manually moved.

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Reply
brandon-langley
brandon-langley Absent Member.
Absent Member.
‎2015-12-14 17:54

Re: Problem with Symantec Endpoint Collector distinguishing observers.


Massimo Rosen;263261 Wrote:
> Am 11.12.2015 um 10:44 schrieb Massimo Rosen:
> > Brandon,
> >
> > Am 11.12.2015 um 03:17 schrieb brandon.langley:
> >> I'm pretty sure the team just took an SR/Bug on this and addressed
> it.
> >
> > Dang! I should have looked at the preview plugins first.
> >
> > Thumbs up for having my problem solved proactively. 😉
>
> Guess I spoke too soon..:( Same problem with the current preview
> collector.
>
> Another issue with that collector is, that it doesn't automatically
> detect the event source as Symantec Endpoint Protection, but puts it
> under Universal Event by default, and has to be manually moved.
>
> CU,
> --
> Massimo Rosen
> Novell Knowledge Partner
> No emails please!
> http://www.cfc-it.de

Massimo,

I think at this point I'd advocate opening an SR and walking through it
with support. In particular, I think they'll be curious to see what is
afoot there, as it's not expected or normal to have that collector
pathing through the Universal collector, which suggests there is another
factor at foot here.


--
brandon.langley
------------------------------------------------------------------------
brandon.langley's Profile: https://forums.netiq.com/member.php?userid=350
View this thread: https://forums.netiq.com/showthread.php?t=54834

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.