Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Configure LEM to monitor anti-virus software for viruses that are not cleaned

Configure LEM to monitor anti-virus software for viruses that are not cleaned

Updated: September 15, 2017

You can monitor your antivirus software performance by configuring the software to log to LEM. When completed, set up the appropriate connector on the LEM Manager, and then use the LEM console to view events in the default Virus Attack filter.

Configure antivirus software to Log to a LEM appliance

Set your antivirus software to log to LEM. This process centralizes the antivirus log data with your existing LEM events.

You can integrate LEM with antivirus software from manufacturers such as Symantec and McAfee. See the SolarWinds Knowledge Base or contact SolarWinds Support for more information.

Configure the antivirus connector on the LEM Manager

The following procedure describes how to configure the Symantec Endpoint Protection 11 connector on the LEM Manager.

For Symantec Endpoint Protection (SEP), the Log Facility is equal to the local facility on LEM, plus 16. For example, the default Log File for /var/log/local6.log on LEM corresponds to Log Facility 22 in your Symantec Endpoint Protection 11 settings.

  1. Replace the Alias value with a custom alias or accept the default.

  2. Ensure that the Log File value matches the Log Facility defined in your antivirus settings.

  3. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log into the SolarWinds LEM Manager as an administrator.
  4. Click the Manage tab and select Appliances.

  5. Click button-gear(gray)_17x14.png next to your SolarWinds LEM Manager and select Connectors.

  6. In the Connector Configuration window, enter the following in the search box:

    Symantec Endpoint Protection

  7. Click button-gear(gray)_17x14.png next to the Symantec Endpoint Protection 11 connector and select New.

  8. Click Save.

  9. Click button-gear(gray)_17x14.png​​​​​​​ next to the new connector instance and select Start.

  10. Click Close to close the Connector Configuration window.

Creating a LEM rule to track when viruses are not cleaned

Clone and enable the Virus Attack – Bad State rule to track virus attacks reported by your anti-virus software. The Bad Virus State User-Defined Group defines a bad state as any virus that is not fully cleaned by your anti-virus software. This includes any virus that is not addressed, quarantined, or renamed.

The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to notify auditors you are auditing the critical events on your network.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log into the SolarWinds LEM Manager as an administrator.
  2. Click the Build tab and select Rules.

  3. In the search box, enter:

    Virus Attack - Bad State

  4. Click button-gear(gray)_17x14.png​​​​​​​ next to the rule and select Clone.

  5. Select the folder to store cloned rule and click OK.

  6. Select the Enable check box.

  7. Click Save.

  8. In the main Rules screen, click Activate Rules.

Last modified

Tags

Classifications

Public