Symantec SES Events Input
Symantec Endpoint Security is the fully cloud-managed version of the on-premise Symantec Endpoint Protection (SEP), which delivers multi-layer protection to stop threats regardless of the method of attack on your endpoints. SES generates various incidents and event types.
Prerequisites
Before proceeding, ensure that the following prerequisites are met:
-
Your Symantec subscription must include the Symantec Endpoint Security Complete.
Supported Log Types
This input supports collecting the following log types:
-
Graylog offers support for a variety of event type IDs and incidents. For a detailed list of Symantec event detection types and descriptions, review the documentation on event detection types and descriptions.
Required Third-Party Setup
To enable integration, complete the following required setup with your third-party service:
-
Create a client application.
-
For the client application, specify the View permissions for
Alerts & EventsandInvestigation. -
Create an event stream. When configuring the event stream, select all event types you want to receive in Graylog.
Required Configuration Values
In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:
-
Client ID
-
OAuth token
-
Stream GUID
-
Channel
Input Type
This input is a
Input Configuration
Follow the input setup instructions. During setup of this input, you can configure the following options:
| Configuration Option | Description |
|---|---|
|
Input Name
|
Provide a unique name for your new input. |
|
OAuth Credentials |
OAuth token of the Symantec SES Client Application created with sufficient API permissions. |
|
Hosting Location |
The region where the Symantec SES is hosted. |
|
Logs Types to Collect |
The type of activity logs to fetch. |
|
Stream GUID |
The GUID of the event stream created with the required event types to be streamed. |
|
Number of Channels |
The number of channels that are required for an event stream configuration. |
|
Polling Interval |
Determines how often (in minutes) Graylog will check for new data in Symantec SES. The smallest allowable interval is 5 minute. |
|
Enable Throttling |
If enabled, when the system gets backed up and overloaded, fetching new data for this input is temporarily paused. Data fetching will resume when the system catches up with its message load. If you regularly poll an external system, e.g. via HTTP, you should leave this option disabled. |
|
Checkpoint Interval |
How often (in seconds) Graylog records checkpoints for Symantec SES. |
|
Stream Connection Timeout |
Event stream connection timeout in minutes. This setting indicates how long the stream connection should be available. |
Next Steps
After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.
Further Reading
Explore the following additional resources and recommended readings to expand your knowledge on related topics:
