Endpoint Protection Risk logs sent to an external Syslog server are delayed up to 15 minutes


Article ID: 169532


Updated On:


Endpoint Protection


Risk logs from a client are taking up to 15 minutes to get sent to the syslog server by the Symantec Endpoint Protection Manager (SEPM).


Risk logs will be sent from the client to the SEPM within approximately 1 minute of the event occurring, if the "Let clients upload critical events immediately" option is selected in the group communication settings.

All other non-critical events are uploaded at the client's normal heartbeat interval.  

After the upload, logs are then processed and added to the SEPM database, typically within 2 minutes.

Client logs are then delayed by the SEPM for up to 15 minutes before being forwarded to the syslog server.



  • SEP 12.1 RU2 and later
  • SEP 14 and later


This functionality is by design. It ensures that no logs are missed or incomplete when being sent to the syslog server.