After upgrading the Symantec Endpoint Protection Manager (SEPM) to Symantec Endpoint Protection (SEP) 12.1 RU6 MP4, data from the SEPM does not appear in reports generated from the syslog data.
Your Security Information and Event Management (SIEM) system is configured to filter for an RFC noncompliant format of SEPM data.
Prior to version 12.1 RU6 MP4, SEPM formatted the log data for the syslog export using the following format:
[PRI] [VERSION][TIMESTAMP] [APP-NAME] [HOSTNAME]. .
.
This format did not comply with RFC5424, section 6, which defines the proper format for messages using syslog.
Beginning the 12.1.6 MP4 (12.1.6867.6400), this format error was corrected, and the data is now formatted properly, as follows:
[PRI] [VERSION][TIMESTAMP] [HOSTNAME] [APP-NAME]. . .
If your SIEM is configured to filter out the SEPM data, based on the noncompliant format, it may no longer show data from the SEPM, as the format has changed.
Reconfigure your SIEM to use the RFC-compliant format for the SEPM log data.
Please refer to the documentation for your particular SIEM solution for steps on how to reconfigure it.