Limiting the events sent to Syslog server by Endpoint Detection and Response
search cancel

Limiting the events sent to Syslog server by Endpoint Detection and Response

book

Article ID: 263313

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Administrator may want to limit or filter the events sent by Endpoint Detection and Response (EDR) to Syslog server.

Environment

EDR 4.x.x

Cause

Due to large amount of events generated on EDR , Administrator may want to limit events forwarded by EDR to Syslog Server which can help to save storage space on syslog server.

Resolution

EDR send below events to Syslog server as configured on UI.

  • atp_incident
  • entity_audit_event
  • lcp_sep_alert_event
  • lcp_sep_risk_event
  • email_conviction_event
  • sep_proxy_insight_event
  • sep_proxy_ips_event
  • sep_proxy_sonar_event
  • sep_proxy_av_event
  • session_audit_event

 

There is no option to limit OR filter the type of events sent by EDR. If Administrator needs to limit/ignore few events then admin can configure the same on Syslog server itself.

Ideally Syslog servers has the option 'Log Collection Filters' to limit / filter event on Syslog server itself, please explore that option to achieve it.