Focus on Virus
RE: Symantec AV reporting metrics. Jun 05 2006 09:20PM
paul murgatroyd org uk (1 replies)
RE: Symantec AV reporting metrics. Jun 09 2006 02:30AM
Serge Vondandamo (serge vondandamo wanadoo fr)
Paul,

Thanks for sharing with me.
My only concern is that since this will be a recurring activity (weekly,
monthly, etc), doing it manually will be a painful task and may end up
missing deadlines due to incorrect data, etc.

I think I will better start thinking about the 10.1 reporting Servers for
automation.

Thanks,
Serge

-----Message d'origine-----
De : paul (at) murgatroyd.org (dot) uk [email concealed] [mailto:paul (at) murgatroyd.org (dot) uk [email concealed]]
Envoyé : lundi 5 juin 2006 23:21
À : serge.vondandamo (at) wanadoo (dot) fr [email concealed]; focus-virus (at) securityfocus (dot) com [email concealed]
Objet : RE: Symantec AV reporting metrics.

apologies for the delay in replying... i was on my way home!

We have seen customers use many ways to get information out of our log
files, I've seen some quite useful information extracted using Microsofts
Log Parser tool. (and could possibly get hold of some scripts)

What you will need if you want to go the manual route however is this link:
http://service1.symantec.com/SUPPORT/ent-security.nsf/0/57757c1d149130b7
8825
6c760069f7f7?OpenDocument

It tells you exactly what the contents of the log file is, what each field
means and how it is stored - the key point is that the date is stored in
hex, and corresponds to the date since 1970

However, as reporting has been a big concern for a lot of our customers, we
have recently released SAV 10.1 which now includes a Reporter tool which is
also backwards compatible with the previous versions. Before people slate
me for trying to sell more product, if you already have either Gold or
Platinum support, you should be able to get SAV 10.1 for free as part of
your maintenance contract. In order to get Reporting working, you only need
to install the Reporting server onto one server and install agents onto your
remaining Primary servers. (If you only have one Primary, you can still
install the Reporting server onto it without a problem).

In terms of commercially available products, Sawmill have a couple of
modules now for interpreting our log files and they work very well indeed.

There is of course our SSIM product, but for pure AV log monitoring they
really are overkill (and expensive) unless you are talking about a serious
amount of data!

I do hope that helps to some extent, if you have any other questions (I am
sure there will be!) please feel free to ask (or flame!)

p.

-------- Original Message --------
> Return-Path: <serge.vondandamo (at) wanadoo (dot) fr [email concealed]> Mon Jun 05 19:11:24 2006
> Received: from smtp8.wanadoo.fr [193.252.22.23] by padme.x-entiahost.com
with SMTP;
> Mon, 5 Jun 2006 19:11:24 +0100
> Received: from cheers (APlessis-Bouchard-153-1-79-4.w86-203.abo.wanadoo.fr
[86.203.134.4])
> by mwinf0808.orange.fr (SMTP Server) with ESMTP id CFCF01C0025B;
> Mon, 5 Jun 2006 20:11:18 +0200 (CEST)
> X-ME-UUID: 20060605181118852.CFCF01C0025B (at) mwinf0808.orange (dot) fr [email concealed]
> From: "Serge Vondandamo" <serge.vondandamo (at) wanadoo (dot) fr [email concealed]>
> To: <paul (at) murgatroyd.org (dot) uk [email concealed]>, <focus-virus (at) securityfocus (dot) com [email concealed]>
> Subject: RE: Symantec AV reporting metrics.
> Date: Mon, 5 Jun 2006 20:11:14 +0200
> Message-ID: <005301c688cb$6efeaa80$0a01a8c0@cheers>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0054_01C688DC.32877A80"
> X-Mailer: Microsoft Office Outlook 11
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
> In-Reply-To: <4759c9e52ea24dbbb0350f532d07074d (at) murgatroyd.org (dot) uk [email concealed]>
> Thread-Index: AcaIr+pomVCYtJhRSreuiXaMKrK73AAG2s0g
> X-SmarterMail-Spam: SPF_None
>
> Hi Paul,
>
>
>
> Versions 9 and 10.
>
>
>
> Thanks,
>
> Serge
>
>
>
> _____
>
> De : paul (at) murgatroyd.org (dot) uk [email concealed] [mailto:paul (at) murgatroyd.org (dot) uk [email concealed]]
> Envoyé : lundi 5 juin 2006 16:52
> À : serge.vondandamo (at) wanadoo (dot) fr [email concealed]; focus-virus (at) securityfocus (dot) com [email concealed]
> Objet : re: Symantec AV reporting metrics.
>
>
>
> what version of SAV are you running?
>
> Depending on version I can give you ideas on several different reporting
> solutions.
>
> I'm not trying to sell our products or services... just want to let you
know
> whats available if you dont want to do this the hard way.
>
> Paul Murgatroyd
> Symantec Professional Services
>
> _____
>
> From: "Serge Vondandamo" <serge.vondandamo (at) wanadoo (dot) fr [email concealed]>
> Sent: Monday, June 05, 2006 2:32 PM
> To: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Symantec AV reporting metrics.
>
> All,
>
> I have been tasked to develop Symantec AV reporting metrics.
> The metrics should help provide visual information (graphs, tables, etc)
to
> Senior management on weekly, monthly, quarterly and annual basis per
region
> and WW if needed.
>
> I am focusing on providing the followings:
>
> - Number of AV clients per region,
> - Number of AV engines, versions, per region,
> - Information on AV defs per region, frequency of updates, versions of AV
> definitions, age of AV definitions (i.e. two weeks old, two months old,
very
> old, etc).
> - Status of AV clients per region - i.e. auto-protect enabled or disabled,
> threat found, old definitions, etc.
> - Any other information that will be useful for big boss not interested on
> technical data.
>
>
> I am looking for pointers, idea and suggestion from those who have already
> done so; I will not try to re-invent the wheel ;)
>
> Thanks for your inputs.
>
> Regards,
> Serge Vondandamo, HND, CISSP, CCNA.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus