Endpoint Protection Risk logs sent to an external Syslog server are delayed up to 15 minutes

book

Article ID: 169532

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Risk logs from a client are taking up to 15 minutes to get sent to the syslog server by the Symantec Endpoint Protection Manager (SEPM).

Cause

Risk logs will be sent from the client to the SEPM within approximately 1 minute of the event occurring, if the "Let clients upload critical events immediately" option is selected in the group communication settings.

All other non-critical events are uploaded at the client's normal heartbeat interval.  

After the upload, logs are then processed and added to the SEPM database, typically within 2 minutes.

Client logs are then delayed by the SEPM for up to 15 minutes before being forwarded to the syslog server.

 

Environment

  • SEP 12.1 RU2 and later
  • SEP 14 and later

Resolution

This functionality is by design. It ensures that no logs are missed or incomplete when being sent to the syslog server.