search cancel

Syslog server shows server name before SymantecServer label in logs received from Symantec Endpoint Protection Manager


Article ID: 163675


Updated On:


Endpoint Protection


After configuring the Symantec Endpoint Protection Manager (SEPM) to forward logs to an external logging server, the logs arrive at the syslog server with the SEPM server name before the SymantecServer label. In some cases the ComputerName label may be missing as well which then puts the affected computers name directly after the SymantecServer label which can lead to confusion.

No errors are seen.


This is by design and follows the RFC for syslog as outlined in the following article:

RFC 5424 - The Syslog Protocol

Per RFC 5424 the HOSTNAME comes before the APP-NAME with "SymantecServer" being the APP-NAME. The colon after SymantecServer signifies the end of the header information and the beginning of the message data.