I have the same question - (but more interested in what logs NOT to send or what the log filter setting recommendations are and most importantly what to definitely not send in order to avoid overload problems.)
In our case, We are looking to do the same thing in our on-prem enterprise environment. We want to eliminate any need for direct pulls from the SEP SQL server and instead push directly from SEPM to the (Helix)SIEM - and we are doing that by configuring external logging on the SEPM console using syslog. :
- Click on the "Admin" tab, then click on "Servers"
- Under Servers - click on the "Local Site - ……" for the environment
- Under Tasks – select "Configure External Logging"
- Under the "General" tab – configure the relevant settings by:
- Selecting the "Enable Transmission of Logs to a Syslog Server"
- Then select the "Log Filter" tab – configure which client (and server) logs to send (this is what we would like to know the best practice recommendations on).
Original Message:
Sent: 04-06-2020 01:18 PM
From: Art Kwiecien
Subject: Sending logs to SEIM
Hello,
I need to send logs to our SEIM (Helix) how do I set that up and what logs can I send over? We are running SEP14.x on prem but in AWS. Thanks