The Cisco IronPort product does not display in the Syslog Director even with all requirements met to do so.
Cisco IronPort does not use Syslog. IronPort can send messages to a port on a remote logging server, but the messages are not in Syslog format.
The Cisco IronPort collector cannot be used in the Syslog Director.
To use the Cisco IronPort collector on the Symantec Security Information Manager (SSIM) appliance:
This should open a second socket on the port 10514 and will be able to listen at the same time as the Syslog director. For this to work, you will need to disable the syslogdirector collector first,restart the event agent,enable the Ironport collector then enable the syslogdirector.
Note: In this setup the customer will have to create a Sensor for each Cisco IronPort appliance they have. They should all listen on port 10514 but on different hostname sockets.
CISCO IronPort configuration interface only allows to send the syslog messages on port 514. There is no option to select another port than this default.