Please excuse me, this is my first post and I'm an ESM n00b. I'll do my best to supply all the information that's required. In a nutshell (for some rules), There is more information in the syslog packet then ESM is parsing for the Symantec Endpoint Protection data source. I feel I could do a better job parsing this syslog then what I'm currently seeing. I've embarked down the path of creating my first ASP rule. I've tested it under it's own datasource, but when I try to add the rule to an existing datasource.. I don't get events.
Perhaps it's a policy thing? I'm not confident on policy settings. I appreciate any help!
The Current rule (Virus found) does not parse - Actual Action: Cleaned by deletion
DEFAULT POLICY >>
DEFAULT POLICY >> SEP POLICY >>
DEFAULT POLICY >> SEP POLICY >> DEVICE
Q1) Do I need to go to "operations>>rollout" while on DEFAULT POLICY, and on DEFAULT POLICY >> SEP POLICY, and on DEFAULT POLICY >> SEP POLICY >> DEVICE?
I ended up doing this step "operations>>rollout" 3 separate times.
Q2) IF I only want the rule to fire for logs coming from a single device, should the rule be enabled/disabled as follows:
disabled - DEFAULT POLICY,
disabled - DEFAULT POLICY >> SEP POLICY,
enabled - DEFAULT POLICY >> SEP POLICY >> DEVICE.
I created the following file, and uploaded it to the device (SWMN00XB08074 SEP) datasource, I went to "GET EVENTS" and then refreshed the default Summary view, and the event's didn't appear.
I then created a Dummy datasource called (DummyTestParser). I placed the device into DEFAULT POLICY >> SEP POLICY
I then uploaded this to (DummyTestParser) datasource. I went to "GET EVENTS" and then refreshed, and the test event's appeared.
Q3) Why can I not get the rule to fire for device (SWMN00XB08074 SEP) datasource?