I'm trying to build a log source extension for Symantec AV ScanEngine. What troubles me is the fact that the log data is delivered via snmp. In the event viewer the payload looks like this:
The scanning feature seems to be hung or the scan engine is overloaded. 192.168.3.27 1344 1541514 Warning
There was an error running content update, scanning will continue using the original definitions 192.168.3.27 1344 Virus definitions Scanner not initialised LiveUpdate 1513397 Error
I don't have a clue how to define the values in the LSX for that sort of data, as there're no "headers" like 'src-ip:192.168.3.27' or anything similar.
I've tried to define the values in the LSX using parts of the OID values from the raw event data I've captured with tcpdump (see below e.g.), but that doesn't work.
.18.104.22.168.4.1.322.214.171.124 255.255.255.255 enterpriseSpecific s=30 1542197
.126.96.36.199.4.1.3188.8.131.52.1.1="There was an error running content update, scanning will continue using the original definitions" .184.108.40.206.4.1.3220.127.116.11.1.2="192.168.3.27" .18.104.22.168.4.1.322.214.171.124.1.3=1344 .126.96.36.199.4.1.3188.8.131.52.1.33="Virus definitions" .184.108.40.206.4.1.3220.127.116.11.1.36="Scanner not initialised" .18.104.22.168.4.1.322.214.171.124.1.55="LiveUpdate" .126.96.36.199.4.1.3188.8.131.52.1.44=1542197 .184.108.40.206.4.1.3220.127.116.11.1.51="Error"
Can you guys give me any hints as to how to get a grip on that?
Or - if I'm very lucky - maybe one of you already built a LSX for the Symantec AV ScanEngine? Or at least for a product sending similar data? Would you be so kind to share your LSX?