Configure LEM to monitor anti-virus software for viruses that are not cleaned
You can monitor your antivirus software performance by configuring the software to log to LEM. When completed, set up the appropriate connector on the LEM Manager, and then use the LEM console to view events in the default Virus Attack filter.
Configure antivirus software to Log to a LEM appliance
Set your antivirus software to log to LEM. This process centralizes the antivirus log data with your existing LEM events.
You can integrate LEM with antivirus software from manufacturers such as Symantec and McAfee. See the SolarWinds Knowledge Base or contact SolarWinds Support for more information.
Configure the antivirus connector on the LEM Manager
The following procedure describes how to configure the Symantec Endpoint Protection 11 connector on the LEM Manager.
Replace the Alias value with a custom alias or accept the default.
Ensure that the Log File value matches the Log Facility defined in your antivirus settings.
- Log in to the LEM console.
On the LEM toolbar, navigate to Manage > Appliances.
- Next to your SolarWinds LEM Manager, click , and then select Connectors.
- In the Connector Configuration window search box, enter Symantec Endpoint Protection.
Next to the Symantec Endpoint Protection 11 connector, click , and then select New.
Next to the new connector instance, click , and then select Start.
To close the Connector Configuration window, click Close.
For Symantec Endpoint Protection (SEP), the Log Facility is equal to the local facility on LEM, plus 16. For example, the default Log File for /var/log/local6.log on SolarWinds LEM corresponds to Log Facility 22 in your Symantec Endpoint Protection 11 settings.
Create a LEM rule to track when viruses are not cleaned
Clone and enable the Virus Attack – Bad State rule to track virus attacks reported by your anti-virus software. The Bad Virus State User-Defined Group defines a bad state as any virus that is not fully cleaned by your anti-virus software. This includes any virus that is not addressed, quarantined, or renamed.
The default action for this rule is to generate a
HostIncident event, which you can use in conjunction with the Incidents report to notify auditors you are auditing the critical events on your network.
Log in to the LEM console as an administrator.
- On the LEM toolbar, navigate to Build > Rules.
- In the search box, enter Virus Attack - Bad State.
- Next to the rule, click , and then select Clone.
- Select the folder to store cloned rule, and then click OK.
- Select the Enable check box, and then click Save.
- In the main Rules screen, click Activate Rules.