After configuring the Symantec Endpoint Protection Manager (SEPM) to forward logs to an external logging server, the logs arrive at the syslog server with the SEPM server name before the SymantecServer label. In some cases the ComputerName label may be missing as well which then puts the affected computers name directly after the SymantecServer label which can lead to confusion.
No errors are seen.
This is by design and follows the RFC for syslog as outlined in the following article:
Per RFC 5424 the HOSTNAME comes before the APP-NAME with "SymantecServer" being the APP-NAME. The colon after SymantecServer signifies the end of the header information and the beginning of the message data.
Subscribing will provide email updates when this Article is updated. Login is required.