You seek to integrate your Symantec Endpoint Detection and Response (SEDR) with a syslog server.
For more information, please refer to: About syslog server connections
ECC, endpoint activity recorder, and search data are not forwarded to syslog.
See About syslog server connections for an explanation of what data is forwarded via SEDR syslog.
Multiple possible causes:
- syslog via UDP. Universal Datagram Protocol is subject to losing packets with no resend.
- Data size limit: EDR does not have a specific limit for size of incident to be sent beyond that specified by RFC5426. RFC5246 specifies a maximum payload size of 65535 octecs minus the UDP or TCP header and minus the IP header Internally there is a limitation by design of IPC mechanism inside SEDR appliance. Currently we set 200MB as a maximum size to exchange data in between processes by using (so called) cx_ipc mechanism.