Multiple syslog messages in one event

simpleman · September 9, 2022, 3:09pm

I am trying to send logs from Symantec Endpoint Protection to Logstash using syslog. Unfortunately, Beats is not an option for our setup. So I have SEP send syslogs over tcp at port 50000. At the moment, I simply print the logs to the console with no filtering. The problem is that some times a get concatenated events as a single one. Here is an example:

logstash_1       | {
logstash_1       |     "@timestamp" => 2022-09-09T14:46:26.159144Z,
logstash_1       |          "event" => {
logstash_1       |         "original" => "<54>Sep  9 17:46:11 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Successfully downloaded the Virus and Spyware definitions SDS Win64 (reduced) 14.3 RU4 9/9/22 r2 security definitions from LiveUpdate. The security definitions are now available for deployment.\r"
logstash_1       |     },
logstash_1       |           "type" => "syslog",
logstash_1       |        "message" => "<54>Sep  9 17:46:11 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Successfully downloaded the Virus and Spyware definitions SDS Win64 (reduced) 14.3 RU4 9/9/22 r2 security definitions from LiveUpdate. The security definitions are now available for deployment.\r",
logstash_1       |       "@version" => "1"
logstash_1       | }
logstash_1       | {
logstash_1       |     "@timestamp" => 2022-09-09T14:46:56.498947Z,
logstash_1       |          "event" => {
logstash_1       |         "original" => "<54>Sep  9 17:46:29 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Successfully downloaded the Virus and Spyware definitions SDS Win64 14.3 RU4 9/9/22 r2 security definitions from LiveUpdate. The security definitions are now available for deployment.\r<54>Sep  9 17:46:42 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Successfully downloaded the Virus and Spyware definitions SDS Win64 (reduced) 14.3 RU5 9/9/22 r2 security definitions from LiveUpdate. The security definitions are now available for deployment.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Client Patch Win64 14.3 RU2 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Client Patch Win64 14.3 RU3 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Client Patch Win64 14.3 RU4 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Client Patch Win64 14.3 RU5 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Win64 14.3 RU5 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Web and Cloud Access Protection Win64 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Windows Host Integrity Content 14.3 RU5.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Intrusion Prevention Signatures 14.0.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Advanced Machine Learning (Static) content Win64 14.2 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Extended File Attributes and Signatures 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Submission Control signatures 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Threat Defense for AD Data 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Centralized Reputation Settings 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Policy Command Handler.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Web and Cloud Access Protection 14.3 RU4.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Win64 14.3 RU2 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SONAR Heuristics engine 14.3 RU1.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SONAR Heuristics engine Win64 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for AP Portal List 12.1 RU6 MP8.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response 14.0.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration 14.3 RU4.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Application Control Data 14.2 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Policy Command Handler 14.3 RU4.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for AP Portal List 14.2 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration 14.3.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response 14.2 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Manager Metadata 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Power Eraser Definitions 14.3 RU4.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Foundation Win64 14.3 RU3.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SEPM Data 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures Win64 14.3 RU5.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Advanced Machine Learning (Static) content Win64 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures 14.3 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SONAR Heuristics engine 14.3 RU4.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Symantec Allow List 14.3 RU5.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Virus and Spyware definitions SDS Win64 (reduced) 14.2 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Application Control Data 14.3 RU5.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update AP Portal List 14.3 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Manager API 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Power Eraser Definitions 14.0.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Attack Surface Reduction Win64 14.3 RU5.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Advanced Machine Learning (Static) content Win64 14.3 RU4.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for AP Portal List 12.1 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Policy Command Handler Win64 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Foundation Win64 14.3 RU4.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures 14.2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response Win64 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for AP Portal List 14.3 RU1.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response 14.3 RU2.\r<52>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Endpoint Threat Defense for AD Data 14.3 RU4.\r<52>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Virus and Spyware definitions SDS Win64 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures 14.3 RU4.\r<52>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Common Network Transport Library and Configuration 14.3 RU3.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Threat Defense for AD Data 14.2 RU1.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SONAR Heuristics engine 14.3 RU2.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Browser Extension Win64 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Foundation Win64 14.3.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Attack Surface Reduction 14.3 RU4.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Foundation Win64 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Revocation Data 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration Win64 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Manager Content Catalog 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration 14.3 RU1.\r<52>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Common Network Transport Library and Configuration 14.2 RU1.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response 14.2.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response 14.3 RU4.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration 14.2 RU2.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SEPM LiveUpdate Database 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures 14.3 RU1.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Foundation Win64 14.3 RU1.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration 14.3 RU2.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures 14.2 RU1.\r<52>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: LiveUpdate encountered one or more errors. Return code = 4.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: LiveUpdate finished running.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: LiveUpdate retry failed.  Will try again.\r"
logstash_1       |     },
logstash_1       |           "type" => "syslog",
logstash_1       |        "message" => "<54>Sep  9 17:46:29 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Successfully downloaded the Virus and Spyware definitions SDS Win64 14.3 RU4 9/9/22 r2 security definitions from LiveUpdate. The security definitions are now available for deployment.\r<54>Sep  9 17:46:42 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Successfully downloaded the Virus and Spyware definitions SDS Win64 (reduced) 14.3 RU5 9/9/22 r2 security definitions from LiveUpdate. The security definitions are now available for deployment.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Client Patch Win64 14.3 RU2 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Client Patch Win64 14.3 RU3 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Client Patch Win64 14.3 RU4 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Client Patch Win64 14.3 RU5 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Win64 14.3 RU5 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Web and Cloud Access Protection Win64 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Windows Host Integrity Content 14.3 RU5.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Intrusion Prevention Signatures 14.0.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Advanced Machine Learning (Static) content Win64 14.2 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Extended File Attributes and Signatures 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Submission Control signatures 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Threat Defense for AD Data 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Centralized Reputation Settings 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Policy Command Handler.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Web and Cloud Access Protection 14.3 RU4.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Win64 14.3 RU2 (English).\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SONAR Heuristics engine 14.3 RU1.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SONAR Heuristics engine Win64 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for AP Portal List 12.1 RU6 MP8.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response 14.0.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration 14.3 RU4.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Application Control Data 14.2 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Policy Command Handler 14.3 RU4.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for AP Portal List 14.2 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration 14.3.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response 14.2 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Manager Metadata 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Power Eraser Definitions 14.3 RU4.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Foundation Win64 14.3 RU3.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SEPM Data 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures Win64 14.3 RU5.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Advanced Machine Learning (Static) content Win64 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures 14.3 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SONAR Heuristics engine 14.3 RU4.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Symantec Allow List 14.3 RU5.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Virus and Spyware definitions SDS Win64 (reduced) 14.2 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Application Control Data 14.3 RU5.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update AP Portal List 14.3 RU2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Manager API 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Power Eraser Definitions 14.0.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Attack Surface Reduction Win64 14.3 RU5.\r<52>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Advanced Machine Learning (Static) content Win64 14.3 RU4.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for AP Portal List 12.1 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Policy Command Handler Win64 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Foundation Win64 14.3 RU4.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures 14.2.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response Win64 14.3 RU5.\r<54>Sep  9 17:46:45 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for AP Portal List 14.3 RU1.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response 14.3 RU2.\r<52>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Endpoint Threat Defense for AD Data 14.3 RU4.\r<52>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Virus and Spyware definitions SDS Win64 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures 14.3 RU4.\r<52>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Common Network Transport Library and Configuration 14.3 RU3.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Threat Defense for AD Data 14.2 RU1.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SONAR Heuristics engine 14.3 RU2.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Browser Extension Win64 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Foundation Win64 14.3.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Attack Surface Reduction 14.3 RU4.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Foundation Win64 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Revocation Data 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration Win64 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Protection Manager Content Catalog 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration 14.3 RU1.\r<52>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: Symantec Endpoint Protection Manager could not update Common Network Transport Library and Configuration 14.2 RU1.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response 14.2.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Endpoint Detection and Response 14.3 RU4.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration 14.2 RU2.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for SEPM LiveUpdate Database 14.3 RU5.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures 14.3 RU1.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Symantec Endpoint Foundation Win64 14.3 RU1.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Common Network Transport Library and Configuration 14.3 RU2.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: No updates found for Intrusion Prevention Signatures 14.2 RU1.\r<52>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: LiveUpdate encountered one or more errors. Return code = 4.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: LiveUpdate finished running.\r<54>Sep  9 17:46:46 WIN-RPPCBQPPJLQ SymantecServer: Site: My Site,Server Name: WIN-RPPCBQPPJLQ,Event Description: LiveUpdate retry failed.  Will try again.\r",
logstash_1       |       "@version" => "1"
logstash_1       | }

Is that normal?

My pipeline.conf file is:

input {
        tcp {
                port => 50000
                type => syslog
        }
}


output {
        stdout {
                codec => rubydebug
        }
}

Thanks in advance.

system · October 7, 2022, 3:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.