MS Security Essentials & Envision Logging
Long shot but here goes...
We are an Enterprise using SEP 12. A number of critical servers had problems with SEP so the decision was made to move to an unmanaged non enterprise AV platform, MS Security Essentials.
I want to at least have assurance that the AV is being updated so want to create an envision report to accomplish this. I've added the impacted servers and can see Microsoft Antimalware references if I run a Event Viewer-Message View and filter on this. I see all references to Microsoft Antimalware here. I've added a sample below.
|xx.xx.xx.xx||%NICWIN-4-System_2001_Microsoft: System,rn=6007 cid=0x00000000 eid=0x000007d1,Mon Jul 15 22:11:01 2013,2001,Microsoft Antimalware,None,Error,Servername,None,,Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version:%b Previous Signature Version:%b1.153.1309.0 Update Source:%bMicrosoft Update Server Update Stage:%bSearch Source Path:%bhttp://www.microsoft.com Signature Type:%bAntiVirus Update Type:%bFull User:%bNT AUTHORITY \\SYSTEM Current Engine Version:%b Previous Engine Version:%b1.1.9607.0 Error code:%b0x80072efd Error description:%bA connection with the server could not be established|
When I try and create a new Query I cannot find any of the Microsoft Antimalware references when running it under the 'Windows' table. Is there any other location that I should be looking for this information. Am hoping someone else has come across this problem before.
Please consider moving this question as-is (no need to recreate) to the proper forum for maximum visibility. Questions written to the users' own "Discussions" space don't get the same amount of attention and questions can go unanswered for a long time.
You can do so by selecting "Move" under ACTIONS along the upper-right. Then search for and select: "RSA enVision" which would be the most relevant for this question.
From what I can tell it does not look like enVision will be parsing this event properly. If you go into System Configuration -> Manage Messages and search for Security_2001_Microsoft in the windows table it does not show up.
That being said, you can still get the information on this if you are familar with the Event Source Integrator tool. As it is likely parsing the event through the header you would just need to define the rest of the message.
This seems like the reason you are not seeing it in the query but are seeing it in the event viewer. If you have been able to complete the ESI you will just need to save the xml file back to ~/etc/devices then restart the collector service.
Hope this helps!