When configuring an Event Forwarding destination to use one of the syslog
formats, you may choose between the UDP or TCP transport protocols. UDP is the
protocol standard syslog is based on. Packets sent via syslog over TCP are
formatted exactly like their UDP counterparts including facility, severity, and
message, the only exception being a new line character (ASCII character code
10) appended to the end of the message.
Unlike UDP, which is a “connectionless” protocol, a TCP connection must be
established between the ESM and the server listening for the forwarded events. If
a connection cannot be established or the connection is dropped, the ESM keeps
track of the last event successfully forwarded, and will try to establish the
connection again in a few minutes. Once the connection is reestablished, the ESM
picks up forwarding events where it left off.
SSH Port Forwarding
If you choose to use syslog over TCP, you have the option of making the TCP
connection over an SSH tunnel. As syslog is an unencrypted protocol, using an
SSH tunnel prevents your Event Forwarding messages from being examined by
To enabled SSH tunneling, configure your Event Forwarding destination to use one
of the syslog formats over the TCP protocol. Several options on the configuration
dialog determine how the SSH connection is made:
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
2821 Mission College Blvd.
Santa Clara, CA 95054 USA
Consumer Support | Enterprise Support | McAfee.com
Legal | Privacy | Copyright © 2019 McAfee, LLC