search cancel

Syslog server shows server name before SymantecServer label in logs received from Symantec Endpoint Protection Manager

book

Article ID: 163675

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After configuring the Symantec Endpoint Protection Manager (SEPM) to forward logs to an external logging server, the logs arrive at the syslog server with the SEPM server name before the SymantecServer label. In some cases the ComputerName label may be missing as well which then puts the affected computers name directly after the SymantecServer label which can lead to confusion.

No errors are seen.

Resolution

This is by design and follows the RFC for syslog as outlined in the following article:

RFC 5424 - The Syslog Protocol

Per RFC 5424 the HOSTNAME comes before the APP-NAME with "SymantecServer" being the APP-NAME. The colon after SymantecServer signifies the end of the header information and the beginning of the message data.