Security Log File Format

The security log for SEP can be found at the following location:

Field Type Size Description
Log Type hex 8 Always 00000001
Max Log Size hex 8 Maximum log file size in bytes
Unknown hex 8 ?
Number of Entries hex 8 Number of entries in log
Unknown hex 8 ?
Running Total Entries hex 16 Total number of events generated
Max Log Days hex 8 Maximun days to save log entries

Log Entries

The log is in TSV format, meaning, each field is separated by a tab character.

Field Type Size Description
Entry Length hex 8 Length of log entry
Date and Time Windows: 64 bit Hex Value - Big Endian 16 The time of the generated event (GMT).
Event ID hex 8 Compliance events:
209 = Host Integrity failed.
210 = Host Integrity passed.
221 = Host Integrity failed, but reported as passed.
237 = Host Integrity custom log entry.

Firewall and IPS events:
201 = Invalid traffic by rule. *
202 = Port scan. *
203 = Denial of service. *
204 = Trojan. *
205 = Executable file was changed. *
206 = Intrusion Prevention System Intrusion was detected. *
207 = Active Response.
208 = MAC spoofing. *
211 = Active Response was disengaged.
216 = Executable file change was detected.
217 = Executable file change was accepted.
218 = Executable file change was denied.
219 = Active Response was cancelled. *
220 = Application hijacking.
249 = Browser Protection event.

Application and Device control:
238 = Device control disabled the device.
239 = Buffer Overflow event.
240 = Software protection has thrown an exception.
241 = Not used. *
242 = Device control enabled the device. *

Memory Exploit Mitigation events: *
250 = Memory Exploit Mitigation blocked an event. *
251 = Memory Exploit Mitigation allowed an event. *
Severity hex 8 The severity as defined in the security rule.
Critical = 0 - 3
Major = 4 - 7
Minor = 8 - 11
Info = 12 - 15
Local Host hex 8 The IP address of the local computer (IPv4).
Remote Host hex 8 The IP address of the remote computer (IPv4).
Protocol hex 8 The protocol type. (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)
Hack Type hex 8 If event ID = 209, Host Integrity failed (TSLOG_SEC_NO_AV), the reason for the failure
If Event ID = 206, Intrusion Prevention System( Intrusion Detected, TSLOG_SEC_INTRUSION_DETECTED), the intrusion ID
If event ID = 210, Host Integrity passed( TSLOG_SEC_AV), additional information

Possible reasons are as follows:

Process is not running - Bit0 is 1
Signature is out of date - Bit1 is 1
Recovery was attempted - Bit2 is 1
Direction hex 8 The direction of traffic. (Unknown = 0; inbound = 1; outbound = 2)
Begin Time Windows: 64 bit Hex Value - Big Endian 16 The start time of the security issue.
End Time Windows: 64 bit Hex Value - Big Endian 16 The end time of the security issue. This field is an optional field
because the exact end time of traffic may not be detected; for example,
as with UDP traffic. If the end time is not detected, it is set to equal the
start time.
Occurences hex 8 The number of attacks. Sometime, when a hacker launches a mass
attack, it may be reduced to one event by the log system, depending
on the damper period.
Log Data Size hex 8
Description nvarchar 4000 Description of the event. Usually, the first line of the description is
treated as the summary.
Unknown ? ? Will require further investigation as to the purpose of this log entry.
Application nvarchar 512 The full path of the application involved. This field may be empty if
an unknown application is involved, or no application is involved. For
example, the ping of death DoS attack does not have an application
name because it attacks the OS itself.
Log Data varbinary 3000 Additional data in binary format. This field is optional.
Local MAC binary 32 The MAC address of the local computer.
Remote MAC binary 32 The MAC address of the remote computer.
Location nvarchar 512 The location used when the event occured.
User nvarchar 512 The logon user name.
User Domain nvarchar 512 The logon domain name.
Signature ID hex 8 The signature ID.
Signature Sub ID hex 8 The signature sub ID.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Remote Port hex 8 The remote port.
Local Port hex 8 The local port.
Local Host IPV6 hex 32 The IP address of the local computer (IPv6).
Remote Host IPV6 hex 32 The IP address of the remote computer (IPv6).
Signature Name nvarchar 520 The signature name.
X Intrusion Payload nvarchar 4200 The URL that hosted the payload.
Intrusion URL nvarchar 4200 The URL from the detection
Unknown ? ? Will require further investigation as to the purpose of this log entry.
Symantec Version Number nvarchar 128 The agent version number on the client.
Profile Serial Number varchar 64 The policy serial number.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
MD5 Hash char 32 The MD5 hash value.
SHA-256 Hash char 64 The SHA-256 hash value.
URL_HID_LEVEL hex 8 Added for future release. Not used now.
URL_RISK_SCORE hex 8 Added for future release. Not used now.
URL_CATEGORIES char 64 Comma separated list of numerical values:
1 = Adult/Mature Content
3 = Pornography
4 = Sex Education
5 = Intimate Apparel/Swimsuit
6 = Nudity
7 = Gore/Extreme
9 = Scam/Questionable Legality
11 = Gambling
14 = Violence/Intolerance
15 = Weapons
16 = Abortion
17 = Hacking
18 = Phishing
20 = Entertainment
21 = Business/Economy
22 = Alternative Spirituality/Belief
23 = Alcohol
24 = Tobacco
25 = Controlled Substances
26 = Child Pornography
27 = Education
29 = Charitable/Non-Profit
30 = Art/Culture
31 = Finance
32 = Brokerage/Trading
33 = Games
34 = Government/Legal
35 = Military
36 = Political/Social Advocacy
37 = Health
38 = Technology/Internet
40 = Search Engines/Portals
43 = Malicious Sources/Malnets
44 = Malicious Outbound Data/Botnets
45 = Job Search/Careers
46 = News
47 = Personals/Dating
49 = Reference
50 = Mixed Content/Potentially Adult
51 = Chat (IM)/SMS
52 = Email
53 = Newsgroups/Forums
54 = Religion
55 = Social Networking
56 = File Storage/Sharing
57 = Remote Access
58 = Shopping
59 = Auctions
60 = Real Estate
61 = Society/Daily Living
63 = Personal Sites
64 = Restaurants/Food
65 = Sports/Recreation
66 = Travel
67 = Vehicles
68 = Humor/Jokes
71 = Software Downloads
83 = Peer-to-Peer (P2P)
84 = Audio/Video Clips
85 = Office/Business Applications
86 = Proxy Avoidance
87 = For Kids
88 = Web Ads/Analytics
89 = Web Hosting
90 = Uncategorized
92 = Suspicious
93 = Sexual Expression
95 = Translation
96 = Web Infrastructure
97 = Content Delivery Networks
98 = Placeholders
101 = Spam
102 = Potentially Unwanted Software
103 = Dynamic DNS Host
104 = URL Shorteners
105 = Email Marketing
106 = E-Card/Invitations
107 = Informational
108 = Computer/Information Security
109 = Internet Connected Devices
110 = Internet Telephony
111 = Online Meetings
112 = Media Sharing
113 = Radio/Audio Streams
114 = TV/Video Streams
116 = Cloud Infrastructure
117 = Cryptocurrency
118 = Piracy/Copyright Concerns
121 = Marijuana
124 = Compromised Sites

* SEP14.2.1
† SEP14.3.0.1