RSA enVision^® Discussions

RSAAdmin · ‎2011-06-10

Hi !

I have an alert that fires when the same virus is detected in 10 different pc's within an hour. It fires normally if I set the SEP server to send logs thru syslog. But after I changed the log collection method to SQL ODBC the alert does not fire anymore. I have queried the antivirus table and data are being written and all my reports are working fine. The only weird thing is I cant see any logs in the analysis if I select the SEP server. Is this normal? Or I cannot use ODBC collection and Alerter at the same time seeing that there is no data in the analysis?

Thanks!

RSAAdmin · ‎2011-06-11

Did you follow the configuration instructions on SCOL?

https://knowledge.rsasecurity.com/docs/rsa_env/device_config/SymantecAntivirusCorporateEdition.pdf

There might be something that you missed. Also, are you on Content 1.0 or Content 2.0?

Paul

RSAAdmin · ‎2011-06-12

Yes, I checked the antivirus table and can see the virusname ipaddress filename and computer name. Also the reports are working fine. It's just that I cant see the raw logs coming in in the events viewer. Thus my question regarding ODBC and not being able to view the logs in events viewer.

RSAAdmin · ‎2011-06-13

Hmm...If you check the Managed Monitored Devices by the IP address which Device Types do you see that were discovered for that IP? could it be that multi-device wasn't checked?

Paul

RSAAdmin · ‎2011-06-14

Thanks, I deleted the device and restarted collector service. That seemed to have fixed teh problem.

RSA enVision® Discussions

Alert does not fire after changing collection method from syslog to SQL ODBC for Symantec Endpoint

RSA enVision^® Discussions