Syslog events show Source IP address as 0.0.0.0 when SEPM risk events are forwarded
Last Updated July 05, 2011
Symantec Endpoint Protection (SEP) client risk events show the client source IP address as 0.0.0.0 when SEPM risk events are forwarded to an external syslog server.
- IP address of machine that experienced a risk event is exported as 0.0.0.0 - The machine name of the client that forwarded the log event is successfully relayed
The IP address in the exported syslog sever logs is displayed as 0.0.0.0
The source IP address is populated when a remote attack happens to a client machine and it is configured by policy to use the "Risk Tracer" option. Risk Tracer has a dependency with the Intrusion Prevention System's (IPS) feature of "Active Response". Both options must be installed and configured correctly to track the remote attacking machine's IP address on the SEP clients. The Symantec Endpoint Protection Manager (SEPM) server then receives the source IP address forwarded from the SEP client logs. When the SEPM displays the source ip address as 0.0.0.0, that is because the client didn't send the source IP address to SEPM server for various reasons.
It could not be determined / masked
The risk was triggered locally and not by a remote machine.
The source IP address received in the logs was a NULL value. By design, when the SEPM receives NULL values for this field it will populate with the value 0.0.0.0 so that it is not blank.
In RU7 the design was changed that the Symantec Endpoint Protection Manager will display NULL values forwarded to the SEPM as a blank entry. It will no longer populate or substitute with the value of 0.0.0.0.
*Detailed steps to reproduce the issue:
Install a working syslog server
Configure external logging in SEPM using default port (udp:514)
Configure the log filter for external logging to include "risk log"
Configure the local site properties in SEPM --> Database tab --> uncheck "delete eicar events"
Create an eicar event on a test client managed by SEPM
The kiwi syslog should now show the event, and the source IP address will be 0.0.0.0
ID: 1939492, 2119243
Imported Document ID: TECH132755
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe