http://www-01.ibm.com/support/docview.wss?uid=swg2...
Problem(Abstract)
When using IBM Security QRadar SIEM, Symantec Endpoint syslog is auto detected as SymantecServer regardless of the actual hostname.
Cause
This is actually a Symantec issue where they are putting in an application name of SymantecServer in the syslog header field normally reserved for the host name or IP Address.
Example:
<54>Jun 2 09:37:57 SymantecServer ServerA: Virus found,Computer name:ServerA,Source: Real Time Scan,Risk name: CAR Test String,Occurrences:1,D:/ffirectoryA/DirectoryB,"",Actual action: Cleaned by deletion,Requested action:Cleaned,Secondary action: Quarantined,Event time: 2009-05-22 14:22:10,Inserted:2009-05-22 14:32:57,End: 2009-05-22 14:32:10,Domain: Default,Group: My Group\WAN\Offline Servers,Server:ServerA,User: abreen,Source computer: ,Source IP: 0.0.0.0
Note: In the Example above that SymanterServer is in the place of the host name, instead of the actual server name ServerA
Please correct issue.