Symantec Endpoint Protection Manager logs all messages to syslog server with Informational severity

book

Article ID: 178151

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When SEPM External Logging is configured to transmit messages to a syslog server, all messages from the SEPM appear on the syslog server with Informational severity. Why is there no mapping between SEPM and syslog severity levels?

Symptoms
According to Log Filter settings of External Logging configuration, the SEPM may log events with 4 levels of severity – Info, Warning, Error and Fatal.


SEPM logs that are exported to a dump file will display these different severity levels, but all SEPM log entries on syslog server appear as Informational

According to RFC3164, syslog servers support 8 levels of severity.

Cause

This issue has been fixed in Symantec Endpoint Protection 11 Release Update 6 Maintenance Patch 1 (RU6 MP1). For information on how to obtain the latest build of Symantec Endpoint Protection, read TECH103088:  Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x

 

Resolution

This document will be updated as soon as more information becomes available.


References
RFC3164 - The BSD Syslog Protocol

http://www.ietf.org/rfc/rfc3164.txt

Note--syslog "Priority" is a combination of Facility and Severity, sometime expressed as two values seperated by a dot (e.g. lpr.info).
Syslog Facility can be changed by adjusting "Log Facility" in SEPM External Logging configuration