Jump to content

ESMC: Forwarding device control events to syslog


fkl
 Share

Recommended Posts

Hi,

we are using ESMC (latest version) with Endpoint Security on Windows devices. We have applied the policy "Device control - maximum security" to our Windows devices.
ESMC is configured to send all logs to our syslog server, which is generally working fine. Server events (like webconsole logons) are logged using syslog, as well as detected threats on endpoints.

However, we would also like to see events from Endpoint Security's device control in our syslog, specifically whenever a device is blocked. But so far, I had no luck.

Here's what I've configured so far:

- in the "block all devices" rule within the device control policy, "log severity" is set to "warning".
- in ESMC, I created a report template for displaying device control events - this is working, I can see those events in the report, so the events are indeed forwarded from the devices to ESMC.
- in ESMC's server settings under "advanced settings" -> "Logging", verbosity is set to "warning" (also tried "information").

Is there something I'm missing or is it just not possible to have device control events sent to syslog?

Thanks in advance!

Link to comment
Share on other sites

  • 3 weeks later...

Bump... and sorry for posting in the wrong section at first.

No one got an idea on this issue? @Marcos maybe? Shall I supply more information?

Just to recap my observations:
Threat events (like filtered websites) are forwarded from endpoints to ESMC / ERA and from ERA to the syslog server.
Device control events are also forwarded from the endpoints to ERA (they can be displayed in a report). However, they are not forwarded from ERA to the syslog server. I would really love that, though :)

Any thoughts on this are much appreciated.
Thanks!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...