Hello -
I'm running SEPM v12.1.6 build 7004.
I'm wanting to configure external logging to ship my SEP logs into my Graylog system but it doesn't seem to be working.
I followed the steps outlined in this doc, https://support.symantec.com/en_US/article.HOWTO81169.html, to configure the Syslog server settings in SEPM. On the Log Filter tab, I selected all available options. After waiting for several hours, no SEP logs have appeared in Graylog.
The Syslog Server settings are currently:
Syslog Server: FQDN of my Graylog server (I tried IP address here with no change in results)
Destination Port: TCP/12201
Log Facility: 23
Log Line Separator: CR
The the protocol/port specified above is open between the SEPM and Graylog servers - it's being used to push Windows Event logs between the same 2 machines. I tried different port/protcol combinations just in case.
For the log facility, I started with the default of 6 but moved to 23 after finding that suggestion in another discussion post.
So far, no combination of settings has allowed the SEP logs to be exported to Graylog.
As a test, I turned off the option to export to a syslog server and selected the option to export to a dump file. That, as well, has failed to produce any output. So, it doesn't seem there's a problem, specifically, with exporting to a syslog server but moreso that the export function just isn't working at all.
All of my client log setting policies are set to have the client logs uploaded to the management server. Using the Monitor and Report functions in SEPM, I can see the various pieces of data are actually there. The export function just doesn't seem to want to spit it out.
Any ideas of what I can try to get this working?
Thanks,
Robin