When SEPM External Logging is configured to transmit messages to a syslog server, all messages from the SEPM appear on the syslog server with Informational severity. Why is there no mapping between SEPM and syslog severity levels?
According to Log Filter settings of External Logging configuration, the SEPM may log events with 4 levels of severity – Info, Warning, Error and Fatal.
SEPM logs that are exported to a dump file will display these different severity levels, but all SEPM log entries on syslog server appear as Informational
According to RFC3164, syslog servers support 8 levels of severity.
This issue has been fixed in Symantec Endpoint Protection 11 Release Update 6 Maintenance Patch 1 (RU6 MP1). For information on how to obtain the latest build of Symantec Endpoint Protection, read TECH103088: Obtaining an upgrade or update for Symantec Endpoint Protection 11.x or Symantec Network Access Control 11.x
This document will be updated as soon as more information becomes available.
RFC3164 - The BSD Syslog Protocol
Note--syslog "Priority" is a combination of Facility and Severity, sometime expressed as two values seperated by a dot (e.g. lpr.info).
Syslog Facility can be changed by adjusting "Log Facility" in SEPM External Logging configuration