Hi Brian,
Thanks for your time and answer but unfrotunately the documentation doesn't contain information about SYSLOG message format. It seems to be for Symantec Event collector but not Symantec Endpoint Manager.
Here some of the message I have using syslog:
Jan 30 22:07:50 192.168.1.1 SymantecServer PIPO-SRV: Site: PIPO-SRV,Server: PIPO-SRV,LUALL.EXE has been launched.
Jan 28 13:20:54 192.168.1.1 SymantecServer PIPO-SRV: Site: PIPO-SRV,Server: PIPO-SRV,Domain: MyDomain,Admin: admin,Policy has been edited,TestServers policy LiveUpdate
Jan 28 13:24:39 192.168.1.1 SymantecServer PIPO-SRV: server11,Category: 0,Smc,Connected to Symantec Endpoint Protection Manager (192.168.1.1)
Jan 29 01:33:20 192.168.1.1 SymantecServer PIPO-SRV: Site: PIPO-SRV,Server: PIPO-SRV,Domain: MyDomain,The management server received the client log successfully,server11,,johndoe,LocalComputer
Jan 29 01:38:50 192.168.1.1 SymantecServer PIPO-SRV: Scan ID: 1296264604,Begin: 2011-01-29 01:29:50,End: 2011-01-29,Completed,Duration (seconds): 98,User1: SYSTEM,User2: SYSTEM,"Scan started on selected drives and folders and all extensions.","Scan Complete: Risks: 0 Scanned: 891 Files/Folders/Drives Omitted: 0",Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 891,Omitted: 0,Computer: MyServer15,IP Address: 192.168.1.1,Domain: MyDomain,Group: My Company\MyDomain_DC\Virtual Servers,Server: PIPO-SRV
Jan 28 13:20:46 192.168.1.1 SymantecServer PIPO-SRV: Site: PIPO-SRV,Server: PIPO-SRV,Domain: Unknown domain (),Admin: johndoe,Administrator log on failed
Obviously there are lot of different messages for each event ("administrator log on failed", "virus detected" etc... ) and I'm lookinf for a reference document.
Thanks for your help
If you need more information don't hesitate,
Regards,