Hello everyone! I'm having some issues with the Symantec Endpoint
Protection collector. When testing in an development environment with
Sentinel and Symantec Endpoint Protection 12.1 the event source
that we connected through the Syslog Conector appears as

When debugging i noticed that the s_RXBufferString had this right before
the Server Hostname:

<86>Sep 3 20:00:00 SymantecServer ACNT12 [...]

Also the s_MessageOriginatorHost variable had the value SymantecServer.
I tried fixing this using a custom.js file with the following code:

Record.prototype.customPreparse = function(e) {
if ((typeof this.s_RXBufferString === "string") && (this.s_RXBufferString.toString().search("Symantec Server ","") != -1 ))
var i_spos = this.s_RXBufferString.toString().search("SymantecS erver ","") + 15 ;
var i_epos = this.s_RXBufferString.toString().substr(i_spos,thi s.s_RXBufferString.toString().length).indexOf(":", "");
this.s_MessageOriginatorHost = this.s_RXBufferString.toString().substr(i_spos, i_epos);
return true;

The s_MessageOriginatorHost variable in the debugger and the
ObserverHostName field in the events are now showing up correctly but
the event source is still being recognized as SymantecServer. Not only
that but the event source shows an error stating that no events are
coming from it when in reality events are actually appearing in the
Sentinel admin console.

Any suggestions in how to fix this issue?

Thanks in advance.

EPedros's Profile: https://forums.netiq.com/member.php?userid=5531
View this thread: https://forums.netiq.com/showthread.php?t=54313