1 Reply Latest reply on Sep 6, 2016 11:05 PM by jgillespie

    Send ePO logs to Syslog


      On ePO 5.3 running on Windows 2008 R2, is it possible to send logs to a 3rd party syslog?


      I can see all the log files in \Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Logs.


      I would like to send log files to a LogRhythm agent to forward on the Logrhytm for analysis.


      Thanks for your time!

        • 1. Re: Send ePO logs to Syslog

          Not sure on 5.3 but on earlier versions this did not exist (there's a product idea suggestion on there somewhere that you can vote on to have syslog functionality included in future version).  The way around it is to use an external executable that acts as a syslog client, then create automatic responses to run the external program while passing it system variables that you want logged.

          For this I use klog.exe from Kiwi Syslog and an example command arguments is below:


          -u 514 -h -p 10 -m "ePO-Threat-Event Action:{threatActionTaken}, Category:{threatCategory}, Event ID:{threatEventID}, Handled:{threatHandled}, Name:{threatName}, Severity:{threatSeverity}, Type:{threatType}"


          If you can't find another way to get your hands on klog.exe you can download it from http://www.kiwi-enterprises.com/downloads/Kiwi_Logger.exe

          Use something like 7-Zip to open the .exe file as an archive, then look inside \KLOG Command-line Tools\klog\ to extract klog.exe


          Hope this helps.