FAQ: Exporting Symantec SGS/SEF data to text format

Sawmill does not recognize my Symantex SGS/SEF log data, because it is binary. How can I export this data to a text format so Sawmill can process it?

Short Answer

Use flatten8, or remorelog8

Long Answer

The Symantec Security Gateways plug-in is based on a text export of a binary data file on the SGS/SEF device.

To use "remotelogfile8.exe" to extract the text log from the binary data:

1. Browse to "http://www.symantec.com/search/"
2. search for document "2004021815290054"

To use the "flatten8" utility to extract the text log from the binary data:

1. Review page 102 of "Symantec™ Security Gateways - Reference Guide" - Version 8, this is an excerpt:

Flatten utility
The flatten8 utility is shipped on the included CD and lets you perform simple log file management from the command-line. The flatten8 utility reads in the log message information from the system’s XML files, and then parses in real-time the binary log file, substituting the actual error text message for its binary counterpart.
Most often, this utility is used to convert the binary log file to a more usable format for a third party utility, such as an ASCII text editor. This utility is also used to review the most recent messages, or directed to
show just statistics messages.

usage: flatten8 [-h] [-r|-s|-D] [-f] [-u seconds] [-t n] [-x xmlpath] log file ...

Where:

-h Print this message and exit.
-r Only has an effect when -s is used. Do reverse lookups on IP addresses.
-s Output stats only.
-D Do not print out error information.
-f Follow output. (Binary files, default interval 2 seconds).
-u Follow update interval in seconds. (Implies -f).
-t Tail the last 'n' log messages.
-x Next argument specifies path to XML dictionary files. This argument should not need to be used, as the XML files are placed in the default location during installation.