We are trying to use the functionality of the syslog registered server from ePO 5.9. However, the only way the files are received is via xml, which would be fine, but McAfee xml files are nested beyond infinity. Has anybody attempted this before? We have logged numerous calls with McAfee, but they just say that their job is done. The files are sent to the syslog server, what we do with it and what we need to do to parse these is our own problem.
This is incredibly unhelpful, but we were pulling events from ePO via database scraping when they released syslog support. We looked at their syslog, and it was not a better choice than database scraping, for the reasons you mentioned. The implementation felt like checking the marketing box, "Yes, we do support syslog!". It just isn't in a format that's usable.
Yeah, Shocking. We have been using db scraping as well, but every time a product update or ePO update is released, all the queries need to be reconfigured. Not really helpful.
That was a concern for us, too. We thought about trying to parse the syslog for exactly that reason...and then we realized that the syslog output was as likely to change format as the underlying DB. Probably more likely, since it was a new feature.