Showing results for 
Search instead for 
Did you mean: 

Syslog from DLPe 11.2 Client for Windows

DLPe 11.2 adds support or sending certain events using the Syslog protocol to a Syslog server.  I would like to know how to set up and make use of the new syslog feature in DLPe 11.2.  

There is one paragraph of data in the DLPe for Windows 11.2.x Release Notes.  In ePO, in DLP Windows Client Configuration policy, one can set the address and port of a syslog server.  But beyond that there is little data.  I have set a client policy in ePO to send to syslog, but so far I am not seeing any events.  So I have some questions:  

What IP address is the syslog data sent FROM?  Is it sent from each individual Windows client to the syslog server, or are all events sent from the ePO sever to the syslog server?  

Is syslogging enabled only if the setting Send DLP events to Syslog server is set to enabled?  Or is some other factor also involved?  For instance, if DLPe is set to operate in Device Control Only mode, does syslogging function?  

What is a good way to test syslogging from the DLPe Windows Client?  What is a convenient action one can perform in Windows that will cause DLPe to generate a syslogged event?  And what should one expect to see at the syslog receiver (syslog server)?  I have tried sending e-mail from OIutlook and the Win 10 email client, and printing, but so far no events have appeared.

- Charlie

3 Replies
McAfee Employee DLP_RS
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Syslog from DLPe 11.2 Client for Windows

I would suggest to review the KB:-

How to set up an example syslog server for use with ePolicy Orchestrator
Technical Articles ID: KB87927

Re: Syslog from DLPe 11.2 Client for Windows

Thank you for the suggestion.  That is good info to have regarding syslog from the ePO server.

But this new feature in DLP 11.2 is a setting for the DLPe Windows Client, with its own IP address setting, and no provision for SSL.  It is just plain UDP to port 514 (by default).  This implies that the DLPe agents at each Windows desktop are separately sending syslog events to a syslog server specified in the policy.

The setting looks like this in Data Loss Prevention 11.2 > Windows Client Configuration > Default Windows Client Configuration:


Today, I have this enabled at all Windows desktops, but no events are arriving at a test syslog server set up at the IP address  I can send syslog events to that address from other sources okay.  

So I am still trying to find out how one sets this new feature up, how it can be tested and verified, and what use one can make of it.

- Charlie

McAfee Employee DLP_RS
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Syslog from DLPe 11.2 Client for Windows

Hi Charlie,

Please raise a Service Request with McAfee technical support for complete troubleshooting.




More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community