AnsweredAssumed Answered

Problem with Symantec AV and secure ACSevents parsing

Question asked by RSA Admin Employee on Apr 2, 2014
Latest reply on Apr 3, 2014 by RSA Admin

We have forwarded Symantec AV and cisco secure ACS logs from RSA envision to RSA security SA decoder through Z connector. Both devices logs are captured in RSA SA and also discover devices in RSA SA successfully.


But logs are not getting parsed properly. Below I am given raw log and meta value for both device type.


Like for Symantec AV , RSA SA is not parsing infected file and actual action filed, marked in RED.


Symantec AV  Log


Apr 1 17:05:39 SymantecServer YYYYYYY: Virus found,IP Address: X.X.X.X,Computer name:YYYYYYYYY,Source: Real Time Scan,Risk name: Backdoor.Graybird,Occurrences: 1,C:\ArunSingh\Software\CorelDRAW Graphics Suite X6\Keygen-CORE\keygen.exe,"",Actual action: Details pending,Requested action: Deleted,Secondary action: Left alone,Event time: 2014-04-01 11:34:31,Inserted: 2014-04-01 11:35:39,End: 2014-04-01 11:34:31,Last update time: 2014-04-01 11:35:39,Domain: Default1,Group: My Company\ROOT\WORKSTATIONS\STPI\NKP,Server: XXXXXXX,User: YYYYYY,Sourcecomputer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version:





Parsed META:



sessionid             =     14351751319

time                  =     2014-04-01T17:18:19.0

size                  =     1070

medium                =     32

device.type           =     "symantecav"

device.class          =     "Anti Virus"             =      "0016"

ip.addr               =                  =      "INMUMNKPSTL3701"

event.source          =      "Real Time Scan"

virusname             =       "Backdoor.Graybird"

action                =       "Deleted"

group                 =        "My Company\ROOT\WORKSTATIONS\STPI\NKP"            =     " "

user.dst              =     " "

dclass.c1.str         =     "Occurences"

ec.activity           =     "Detect"

ec.subject            =     "Virus"

ec.theme              =   "TEV"

endtime               =   2014-04-01T17:04:31.0

event.desc            =    "Virus found"

event.time            =     2014-04-01T17:04:31.0                =     "Viru:10"       =     "Attacks.Malicious Code.Virus"

forward.ip           =              

device.ip            =       

kindly help me