This post describes how to configure LogRhythm Agnet to collect the Symantec SEPM logs through MS SQL DB.
Method 1 – Syslog Forwarding
1 This is traditional way to forward logs from SEPM to Syslog servers, such as ArcSight, Splunk, Qradar, LogRhythm, etc.
Note: SEPM does not support multiple syslog servers. Only one host can be configured and supported.
Procedure
- Log in to your Symantec Endpoint Protection Manager system.
- In the left pane, click the Admin icon.
- In the bottom of the View Servers pane, click Servers.
- In the View Servers pane, click Local Site.
- In the Tasks pane, click Configure External Logging.
- From the Generals tab, select the Enable Transmission of Logs to a Syslog Server check box.
- In the Syslog Server field, type the IP address of your Syslog Server that you want to parse the logs.
- In the UDP Destination Port field, type 514.
- In the Log Facility field, type 6.
- In the Log Filter tab, under Management Server Logs, select the Audit Logs check box.
- In the Client Log pane, select the Security Logs check box.
- In the Client Log pane, select the Risks check box.
- Click OK.
Method 2 – ODBC Connection
2
Configuration Steps
References
1 https://knowledge.broadcom.com/external/article/156485/configure-multiple-syslog-servers-for-en.html