Did some Googling, it appears that the logs are on the client in a number of locations based on this article: FEP Log Files
And this technet thing: Endpoint Protection Scan Logs & Automated Tools For Malware Removal?
I immediately see some problems that would need to be overcome:
- Which of the log files are you interested in seeing in LEM?
- Can you share any sample log files from your clients?
- Is there anyway to control the rotation of the log files and the way they're named?
- What information in those log files do you want to see normalized in LEM?
Based on the FEP logs and some other resources, it looks like the file names use the following format:
LogFileName_Date_Time.log
where the following is true:
- LogFileName is the name of the log file
- Date is the day, month, and year the log was created, in the format DDMMYYY
- Time is the hour, minute, and second the log file was created, in the format HHMMSS
And I know this is the sort of thing that gives the connectors team fits and slows down development since code will need to be created to handle the file name changes, how to handle the EOF, how to find the next file, etc. If there are options to control all this, that would make things a lot simpler.