Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Integrate Symantec Endpoint Protection 11 or later with SolarWinds LEM

Integrate Symantec Endpoint Protection 11 or later with SolarWinds LEM

Table of contents
Created by Karen Valdellon_ret, last modified by James Moore on Sep 26, 2018

Views: 2,619 Votes: 0 Revisions: 11

Updated: September 26, 2018


This article outlines the procedures for configuring Symantec Endpoint Protection 11 or later to log to your LEM appliance and configuring the Symantec Endpoint Protection 11 connector on your LEM Manager.


All LEM versions


To configure Symantec Endpoint Protection to log to the LEM appliance:

  1. Open Symantec Endpoint Protection (SEP).
  2. Click Admin, and then select Servers > Local Site > Configure External Logging.
  3. In the External Logging for Local Site window, select Enable Transmission of Logs to a Syslog Server.
  4. In the Syslog Server field, enter the IP address of your LEM appliance.
  5. In the Log Facility field, enter 22.

    Note: The Log Facility value in SEP is equal to the local facility on your LEM appliance plus 16, so the default local facility of local6 in the SEP connector for the LEM Manager equates to Log Facility 22 in SEP and change default  syslog port changed from 1468 to 514

  6. In the Log Line Separator field, select CR.
  7. Click the Log Filter tab.
  8. Select the logs you want to send to your LEM appliance.
  9. Click OK.

To configure the Symantec Endpoint Protection 11 connector on the LEM Manager:

A connector for the Windows Application log still exists because earlier versions of SEP do not generate syslog data.

  1. On the LEM console toolbar, navigate to Manage > appliances, and then log in to the LEM Manager as an administrator.
  2. Next to your LEM Manager, click the gear icon, and then select Connectors.
  3. In the Connector Configuration window, enter Symantec Endpoint Protection 11 in the search box at the top of the Refine Results pane.
  4. Next to the Symantec Endpoint Protection 11 connector, click the gear icon, and then select New.
  5. Enter a custom Alias or accept the default.
  6. If you entered a Log Facility value other than 22 in SEP, verify the Log File value in your LEM connector matches the Log Facility defined in Step 5 above.
  7. If you are finished configuring the connector, click Save.
  8. Next to the new connector (denoted by an icon in the Status column), click the gear icon, and then click Start.
  9. To exit the Connector Configuration window, click Close.

After the connector starts, test your integration using a trusted antivirus test site, such as

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

Last modified