Hi,
we are using ESMC (latest version) with Endpoint Security on Windows devices. We have applied the policy "Device control - maximum security" to our Windows devices. ESMC is configured to send all logs to our syslog server, which is generally working fine. Server events (like webconsole logons) are logged using syslog, as well as detected threats on endpoints.
However, we would also like to see events from Endpoint Security's device control in our syslog, specifically whenever a device is blocked. But so far, I had no luck.
Here's what I've configured so far:
- in the "block all devices" rule within the device control policy, "log severity" is set to "warning".
- in ESMC, I created a report template for displaying device control events - this is working, I can see those events in the report, so the events are indeed forwarded from the devices to ESMC.
- in ESMC's server settings under "advanced settings" -> "Logging", verbosity is set to "warning" (also tried "information").
Is there something I'm missing or is it just not possible to have device control events sent to syslog?
Thanks in advance!