Jump to content

ESMC: Forwarding device control events to syslog


fkl
 Share

Recommended Posts

Hi,

we are using ESMC (latest version) with Endpoint Security on Windows devices. We have applied the policy "Device control - maximum security" to our Windows devices.
ESMC is configured to send all logs to our syslog server, which is generally working fine. Server events (like webconsole logons) are logged using syslog, as well as detected threats on endpoints.

However, we would also like to see events from Endpoint Security's device control in our syslog, specifically whenever a device is blocked. But so far, I had no luck.

Here's what I've configured so far:

- in the "block all devices" rule within the device control policy, "log severity" is set to "warning".
- in ESMC, I created a report template for displaying device control events - this is working, I can see those events in the report, so the events are indeed forwarded from the devices to ESMC.
- in ESMC's server settings under "advanced settings" -> "Logging", verbosity is set to "warning" (also tried "information").

Is there something I'm missing or is it just not possible to have device control events sent to syslog?

Thanks in advance!

Link to comment
Share on other sites

  • 3 weeks later...

Bump... and sorry for posting in the wrong section at first.

No one got an idea on this issue? @Marcos maybe? Shall I supply more information?

Just to recap my observations:
Threat events (like filtered websites) are forwarded from endpoints to ESMC / ERA and from ERA to the syslog server.
Device control events are also forwarded from the endpoints to ERA (they can be displayed in a report). However, they are not forwarded from ERA to the syslog server. I would really love that, though :)

Any thoughts on this are much appreciated.
Thanks!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...