fkl 0 Posted June 30, 2022 Posted June 30, 2022 Hi, we are using ESMC (latest version) with Endpoint Security on Windows devices. We have applied the policy "Device control - maximum security" to our Windows devices.ESMC is configured to send all logs to our syslog server, which is generally working fine. Server events (like webconsole logons) are logged using syslog, as well as detected threats on endpoints. However, we would also like to see events from Endpoint Security's device control in our syslog, specifically whenever a device is blocked. But so far, I had no luck. Here's what I've configured so far: - in the "block all devices" rule within the device control policy, "log severity" is set to "warning". - in ESMC, I created a report template for displaying device control events - this is working, I can see those events in the report, so the events are indeed forwarded from the devices to ESMC. - in ESMC's server settings under "advanced settings" -> "Logging", verbosity is set to "warning" (also tried "information"). Is there something I'm missing or is it just not possible to have device control events sent to syslog? Thanks in advance!
fkl 0 Posted July 16, 2022 Author Posted July 16, 2022 Bump... and sorry for posting in the wrong section at first. No one got an idea on this issue? @Marcos maybe? Shall I supply more information? Just to recap my observations:Threat events (like filtered websites) are forwarded from endpoints to ESMC / ERA and from ERA to the syslog server.Device control events are also forwarded from the endpoints to ERA (they can be displayed in a report). However, they are not forwarded from ERA to the syslog server. I would really love that, though Any thoughts on this are much appreciated. Thanks!
Recommended Posts