search cancel

After I upgrade my SEPM to 12.1 RU6 MP4, it sends no data to my syslog servers

book

Article ID: 163159

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrading the Symantec Endpoint Protection Manager (SEPM) to Symantec Endpoint Protection (SEP) 12.1 RU6 MP4, data from the SEPM does not appear in reports generated from the syslog data.


Cause

Your Security Information and Event Management (SIEM) system is configured to filter for an RFC noncompliant format of SEPM data.

Prior to version 12.1 RU6 MP4, SEPM formatted the log data for the syslog export using the following format:

[PRI] [VERSION][TIMESTAMP] [APP-NAME] [HOSTNAME]. . .

This format did not comply with RFC5424, section 6, which defines the proper format for messages using syslog.

Beginning the 12.1.6 MP4 (12.1.6867.6400), this format error was corrected, and the data is now formatted properly, as follows:

[PRI] [VERSION][TIMESTAMP] [HOSTNAME] [APP-NAME]. . .

If your SIEM is configured to filter out the SEPM data, based on the noncompliant format, it may no longer show data from the SEPM, as the format has changed.

Environment


Resolution

Reconfigure your SIEM to use the RFC-compliant format for the SEPM log data.

Please refer to the documentation for your particular SIEM solution for steps on how to reconfigure it.