What is a syslog server?

Syslog is a protocol used by network devices to send event messages to a logging server – known as a syslog server. Event log forwarding consolidates all event logs in a central location such as a syslog server. Consolidation reduces the hassle of logging into every server to check logs individually.

Syslog server must be SSL enabled. McAfee ePO server syslog client supports SyslogNG RFC 5424 + 5425 only which requires TCP, and Transport Layer Security (TLS). There is no support for UDP or unencrypted TCP syslog receivers.

How does event log forwarding work?

The McAfee Agent sends events to the Agent Handler. You need to store these events in a server. Use McAfee ePO to configure syslog server and forward events to the syslog server or store the events on the SQL database server.