search cancel

Integrating Endpoint Detection and Response with syslog servers

book

Article ID: 174334

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

You seek to integrate your Symantec Endpoint Detection and Response (SEDR) with a syslog server.

Resolution

Configure EDR to connect to a syslog server

  1. Configure EDR to either use a default syslog server or custom syslog connection for a single device
    1. To configure the syslog server connection for the default appliance do the following
      1. Do one of the following:
        • In the EDR cloud console, click Environment -> Settings, select an appliance and then click Appliances.
        • In the EDR appliance console, click Settings -> Appliances.
      2. Click Edit Default Appliance.
    2. To configure a custom syslog server connection for a single device do the following
      1. Do one of the following:
        • In the EDR cloud console, click Environment -> Settings, select an appliance and then click Appliances.
        • In the EDR appliance console, click Settings -> Appliances.
      2. Double-click the device in the Appliances list.
      3. In the Syslog section, uncheck Use default, if it is checked.
  2. Click +Add Syslog Server.
  3. In the Add Syslog Server dialog box, in the Host field, type the IP address of the syslog server.
  4. In the Protocol field, select the appropriate protocol.
  5. In the Port field, type the port on the syslog server that accepts syslog messages.
    Syslog usually uses port 514.
  6. Click Save.

For more information, please refer to: About syslog server connections

Additional Information

What events are forwarded?

ECC, endpoint activity recorder, and search data are not forwarded to syslog.

See About syslog server connections for an explanation of what data is forwarded via SEDR syslog.

 

I used UDP syslog and some of my events are missing. Why?

Multiple possible causes:

- syslog via UDP. Universal Datagram Protocol is subject to losing packets with no resend.

- Data size limit: EDR does not have a specific limit for size of incident to be sent beyond that specified by RFC5426. RFC5246 specifies a maximum payload size of 65535 octecs minus the UDP or TCP header and minus the IP header  Internally there is a limitation by design of IPC mechanism inside SEDR appliance. Currently we set 200MB as a maximum size to exchange data in between processes by using (so called) cx_ipc mechanism.