You can monitor your antivirus software performance by configuring the software to log to your SolarWinds LEM appliance. When completed, set up the appropriate connector on your SolarWinds LEM Manager to view the events in the default Virus Attack filter in your SolarWinds LEM Console.
Set your antivirus software to log to your SolarWinds LEM appliance. This process centralizes the antivirus log data with your existing SolarWinds LEM events.
You can integrate antivirus software with your SolarWinds LEM appliance from manufacturers such as Symantec and McAfee. See the SolarWinds Knowledge Base or contact SolarWinds Support for more information.
The following procedure describes how to configure the Symantec Endpoint Protection 11 connector on your SolarWinds LEM Manager.
For Symantec Endpoint Protection (SEP), the Log Facility is equal to the local facility on your SolarWinds LEM appliance plus 16. For example, the default Log File for /var/log/local6.log on your SolarWinds LEM appliance corresponds to Log Facility 22 in your Symantec Endpoint Protection 11 settings.
Symantec Endpoint Protection
Clone and enable the Virus Attack Bad State rule to track virus attacks reported by your anti-virus software. The Bad Virus State User-Defined Group defines a bad state as any virus that is not fully cleaned by your anti-virus software. This includes any virus that is not addressed, quarantined, or renamed.
The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to notify auditors you are auditing the critical events on your network.
Virus Attack - Bad State