ePO syslog forwarding only supports the TCP protocol, and requires
Transport Layer Security (TLS). Specifically, it supports receivers following
RFC 5424 and
RFC 5425, which is known as
syslog-ng.
You do not need to import the certificate used by the syslog receiver into ePO. As long as the certificate is valid, ePO accepts it. Self-signed certificates are supported and are commonly used for this purpose.
ePO does
not support
Mutual TLS, when connecting to a syslog receiver.
If your syslog receiver does not support the above requirements, event forwarding fails. The exact symptoms depend on the particular syslog receiver, but might include one or more of the following:
- When the Test Connection option on the syslog registered server page is clicked, an error message is displayed, or an ellipsis: '...'
- No events are received at the syslog receiver.
- Events are received, but the entire event is garbled and unreadable.
NOTE: Parts of some product events, such as Data Loss Protection (DLP), are not readable. The text is unreadable because some products encrypt sensitive fields in the event. These fields are decrypted via the managed product extension for display in ePO. Because events are forwarded to the syslog receiver in their raw state, and before they are decrypted via the extension, the encrypted sections of the event are not readable.