SEP11 Scan Logs
by dwarfsoft on Mar.03, 2011, under Scripting, Tweet, Work
I will start out by simply stating how much I HATE SEP11, and how it handles client scan logs. For some reason there is NO way of getting a client scan log out of the Central Management Console. The whole point of Central Management is being able to … manage CENTRALLY.
Anyway, enough rant. I wrote a batch file to pull the latest (or specified) log file from a list of servers (in a file called Servers.txt). More Source:
@echo off if not exist "SEP11Logs" mkdir SEP11Logs for /f "tokens=*" %%A IN (Servers.txt) DO ( IF /I "%~1" EQU "" ( CALL :GetLatestLog "%%A" CALL :CopyLog "%%A" "%%_LogFile%%" ) ELSE ( CALL :CopyLog "%%A" "%~1" ) ) GOTO:EOF :GetLatestLog SET _ServerName=%~1 FOR /F "tokens=* delims=" %%B IN ('dir "\\%_ServerName%\C$\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\*.log" /b /o:-d') DO ( SET _LogFile=%%B ECHO "Logfile is %%B" GOTO:EOF ) GOTO:EOF :CopyLog ECHO Copying "%~2" on "%~1" COPY /Y "\\%~1\C$\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\%~2" "SEP11Logs\%~1-%~2" :EOF |
This script goes through the list of servers copying the logs into a folder called SEP11Logs and renaming them to “<ServerName>-<Logname>” so they come out as something like “SERVER-02262011.logâ€.
Once I received the logs I was then struck with a problem of not being able to easily determine the date and time of each finding. After a short search I managed to track down a description of the SEP11 log file format. I wrote a quick and [very] dirty script to add a little more detail to the original log.
' See http://www.symantec.com/business/support/index?page=content&id=TECH100099&locale=en_US On Error Resume Next Const ForReading = 1 Const ForWriting = 2 Dim fso, folder, files, NewsFile,sFolder Set fso = CreateObject("Scripting.FileSystemObject") sFolder = Wscript.Arguments.Item(0) If sFolder = "" Then Wscript.Echo "No Folder parameter was passed" Wscript.Quit End If Set folder = fso.GetFolder(sFolder) Set files = folder.Files For each folderIdx In files Set LogFile = fso.OpenTextFile(folderIdx.Path, ForReading) Set LogFileCsv = fso.CreateTextFile(folderIdx.Path& ".csv", True) Do While not LogFile.AtEndOfStream line = LogFile.ReadLine Splt=Split(line,",") hTime = Splt(0) hTimeYear = Right("0000" & (1970 + CLng("&H"&Mid(hTime,1,2))),4) hTimeMonth = Right("00" & CLng("&H"&Mid(hTime,3,2))+1,2) hTimeDay = Right("00" & CLng("&H"&Mid(hTime,5,2)), 2) hTimeHour = Right("00" & CLng("&H"&Mid(hTime,7,2)), 2) hTimeMin = Right("00" & CLng("&H"&Mid(hTime,9,2)), 2) hTimeSec = Right("00" & CLng("&H"&Mid(hTime,11,2)), 2) hDateAndTime = hTimeYear & "-" & hTimeMonth & "-" & hTimeDay & " " & hTimeHour & ":" & hTimeMin & ":" & hTimeSec hDate = hTimeYear & "-" & hTimeMonth & "-" & hTimeDay hTime = hTimeHour & ":" & hTimeMin & ":" & hTimeSec Select Case Splt(1) Case 1 hEvent = "GL_EVENT_IS_ALERT" Case 2 hEvent = "GL_EVENT_SCAN_STOP" Case 3 hEvent = "GL_EVENT_SCAN_START" Case 4 hEvent = "GL_EVENT_PATTERN_UPDATE" Case 5 hEvent = "GL_EVENT_INFECTION" Case 6 hEvent = "GL_EVENT_FILE_NOT_OPEN" Case 7 hEvent = "GL_EVENT_LOAD_PATTERN" Case 8 hEvent = "//GL_STD_MESSAGE_INFO NOT USED" Case 9 hEvent = "//GL_STD_MESSAGE_ERROR NOT USED" Case 10 hEvent = "GL_EVENT_CHECKSUM" Case 11 hEvent = "GL_EVENT_TRAP" Case 12 hEvent = "GL_EVENT_CONFIG_CHANGE" Case 13 hEvent = "GL_EVENT_SHUTDOWN" Case 14 hEvent = "GL_EVENT_STARTUP" Case 16 hEvent = "GL_EVENT_PATTERN_DOWNLOAD" Case 17 hEvent = "GL_EVENT_TOO_MANY_VIRUSES" Case 18 hEvent = "GL_EVENT_FWD_TO_QSERVER" Case 19 hEvent = "GL_EVENT_SCANDLVR" Case 20 hEvent = "GL_EVENT_BACKUP" Case 21 hEvent = "GL_EVENT_SCAN_ABORT" Case 22 hEvent = "GL_EVENT_RTS_LOAD_ERROR" Case 23 hEvent = "GL_EVENT_RTS_LOAD" Case 24 hEvent = "GL_EVENT_RTS_UNLOAD" Case 25 hEvent = "GL_EVENT_REMOVE_CLIENT" Case 26 hEvent = "GL_EVENT_SCAN_DELAYED" Case 27 hEvent = "GL_EVENT_SCAN_RESTART" Case 28 hEvent = "GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER" Case 29 hEvent = "GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER" Case 30 hEvent = "GL_EVENT_LICENSE_WARNING" Case 31 hEvent = "GL_EVENT_LICENSE_ERROR" Case 32 hEvent = "GL_EVENT_LICENSE_GRACE" Case 33 hEvent = "GL_EVENT_UNAUTHORIZED_COMM" Case 34 hEvent = "GL_EVENT_LOG_FWD_THRD_ERR" Case 35 hEvent = "GL_EVENT_LICENSE_INSTALLED" Case 36 hEvent = "GL_EVENT_LICENSE_ALLOCATED" Case 37 hEvent = "GL_EVENT_LICENSE_OK" Case 38 hEvent = "GL_EVENT_LICENSE_DEALLOCATED" Case 39 hEvent = "GL_EVENT_BAD_DEFS_ROLLBACK" Case 40 hEvent = "GL_EVENT_BAD_DEFS_UNPROTECTED" Case 41 hEvent = "GL_EVENT_SAV_PROVIDER_PARSING_ERROR" Case 42 hEvent = "GL_EVENT_RTS_ERROR" Case 43 hEvent = "GL_EVENT_COMPLIANCE_FAIL" Case 44 hEvent = "GL_EVENT_COMPLIANCE_SUCCESS" Case 45 hEvent = "GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION" Case 46 hEvent = "GL_EVENT_ANOMALY_START" Case 47 hEvent = "GL_EVENT_DETECTION_ACTION_TAKEN" Case 48 hEvent = "GL_EVENT_REMEDIATION_ACTION_PENDING" Case 49 hEvent = "GL_EVENT_REMEDIATION_ACTION_FAILED" Case 50 hEvent = "GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL" Case 51 hEvent = "GL_EVENT_ANOMALY_FINISH" Case 52 hEvent = "GL_EVENT_COMMS_LOGIN_FAILED" Case 53 hEvent = "GL_EVENT_COMMS_LOGIN_SUCCESS" Case 54 hEvent = "GL_EVENT_COMMS_UNAUTHORIZED_COMM" Case 55 hEvent = "GL_EVENT_CLIENT_INSTALL_AV" Case 56 hEvent = "GL_EVENT_CLIENT_INSTALL_FW" Case 57 hEvent = "GL_EVENT_CLIENT_UNINSTALL" Case 58 hEvent = "GL_EVENT_CLIENT_UNINSTALL_ROLLBACK" Case 59 hEvent = "GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE" Case 60 hEvent = "GL_EVENT_COMMS_SERVER_CERT_ISSUE" Case 61 hEvent = "GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE" Case 62 hEvent = "GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED" Case 63 hEvent = "GL_EVENT_CLIENT_CHECKIN" Case 64 hEvent = "GL_EVENT_CLIENT_NO_CHECKIN" Case 65 hEvent = "GL_EVENT_SCAN_SUSPENDED" Case 66 hEvent = "GL_EVENT_SCAN_RESUMED" Case 67 hEvent = "GL_EVENT_SCAN_DURATION_INSUFFICIENT" Case 68 hEvent = "GL_EVENT_CLIENT_MOVE" Case 69 hEvent = "GL_EVENT_SCAN_FAILED_ENHANCED" Case 70 hEvent = "GL_EVENT_MAX_EVENT_NUMBER" Case 71 hEvent = "GL_EVENT_HEUR_THREAT_NOW_WHITELISTED" Case 72 hEvent = "GL_EVENT_INTERESTING_PROCESS_DETECTED_START" Case 73 hEvent = "GL_EVENT_LOAD_ERROR_COH" Case 74 hEvent = "GL_EVENT_LOAD_ERROR_SYKNAPPS" Case 75 hEvent = "GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH" Case 76 hEvent = "GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS" Case 77 hEvent = "GL_EVENT_HEUR_THREAT_NOW_KNOWN" End Select Select Case Splt(2) Case 1 hCategory = "GL_CAT_INFECTION" Case 2 hCategory = "GL_CAT_SUMMARY" Case 3 hCategory = "GL_CAT_PATTERN" Case 4 hCategory = "GL_CAT_SECURITY" End Select hLogger = Splt(3) hComputer = Splt(4) hUser = Splt(5) hVirus = Splt(6) hFile = Splt(7) Select Case Splt(8) Case 1 hAction = "Quarantine" Case 2 hAction = "Rename" Case 3 hAction = "Delete" Case 4 hAction = "Leave Alone" Case 5 hAction = "Clean File" Case 6 hAction = "Clean Macros" Case Else hAction = "Unknown Action" End Select Select Case Splt(9) Case 1 hAction2 = "Quarantine" Case 2 hAction2 = "Rename" Case 3 hAction2 = "Delete" Case 4 hAction2 = "Leave Alone" Case 5 hAction2 = "Clean File" Case 6 hAction2 = "Clean Macros" Case Else hAction2 = "Unknown Action" End Select Select Case Splt(10) Case 1 hAction3 = "Quarantine" Case 2 hAction3 = "Rename" Case 3 hAction3 = "Delete" Case 4 hAction3 = "Leave Alone" Case 5 hAction3 = "Clean File" Case 6 hAction3 = "Clean Macros" Case 7 hAction3 = "Saved file as..." Case 8 hAction3 = "Sent to Intel (AMS)" Case 9 hAction3 = "Moved to backup location" Case 10 hAction3 = "Renamed backup file" Case 11 hAction3 = "Undo action in Quarantine View" Case 12 hAction3 = "Write protected or lack of permissions - Unable to act on file" Case 13 hAction3 = "Backed up file" Case Else hAction3 = "Unknown Action" End Select hVirusType = Splt(11) hFlags = Splt(12) hDescription = Splt(13) hScanId = Splt(14) hNewExt = Splt(15) hGroupId = Splt(16) hEventData = Splt(17) hQuarantineID = Splt(18) hVirusID = Splt(19) hQuarantineStatus = Splt(20) hAccess = Splt(21) outline = hDate & "," & hTime & "," & Splt(1) & "," & hEvent & "," & Splt(2) & "," & hCategory & "," & Splt(3) & "," & Splt(4) & "," & Splt(5) & "," & Splt(6) & "," outline = outline & Splt(7) & "," & Splt(8) & "," & hAction & "," & Splt(9) & "," & hAction2 & "," & Splt(10) & "," & hAction3 For i = 11 to UBound(Splt) outline=outline&","&Splt(i) Next LogFileCsv.WriteLine(outline) Loop LogFileCsv.Close LogFile.Close Next |
I know, not exactly brimming with comments. I leave this code here, as is. Worked for me… Just take note, that in these logs there are a lot of files that get picked up that have 3 actions listed as “Leave Alone†but (if opened in Excel) under column X it lists a File Remediation and a Delete action. The log file format is abysmal and the above linked description of the format does not accurately explain the remediation information… I have as yet been unable to determine which field of the description the remediation is supposed to be in.
So, Run the Batch File to copy the logs into the SEP11Logs folder. Run the VBScript with the path to SEP11Logs and it will create a copy of the log files with a .csv extension that has a bit more information.
Enjoy.
Cheers, Chris.
You must be logged in to post a comment.