Skip to main content
Skip table of contents

Syslog - McAfee ePO

Device Details

Device NameSyslog - McAfee ePO
Device TypeePolicy Orchestrator v5.10
Supported Model Name/NumberN/A
Supported Software VersionAll
Collection MethodSyslog
Configurable Log OutputYes
Log Source TypeSyslog - McAfee ePO
Log Processing PolicyLogRhythm Default v2.0
Additional Information

McAfee ePO sends encrypted syslogs, and therefore must use the System Monitor Agent's secure syslog port (6514 by default) instead of the standard syslog port.

ePO syslog forwarding only supports the TCP protocol and requires Transport Layer Security (TLS). Refer to the ePO Documentation for more information.

For information on enabling the secure syslog for a System Monitor Agent, refer to Configure a Secure Syslog Agent.

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

TypeProduct VersionSupported Schema Fields
McAfee ePO Catch-AllN/A<tag1>, <tag2>, <tag3>
EVID : 1027/1292/18054 Security MessagesN/A<dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <sname>, <process>, <dname>, <domainimpacted>, <account>, <object>
EVID : 1048 : EPO - Scan ErrorN/A<dname>, <dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <object>, <process>, <domainimpacted>, <account>, <action>, <subject>, <severity>
EVID : 1092/1095 Behavior MessagesN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <policy>, <process>, <object>, <vendorinfo>, <version>, <severity>
EVID : 1119 : EPO - Update FailedN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vendorinfo>, <version>, <vmid>, <threatname>, <subject>, <result>, <action>, <severity>
EVID : 1202/1203 Task MessagesN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <severity>, <vendorinfo>, <version>, <object>
EVID : 2401/02/11/12/13/22/27 Update MessagesN/A<dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <severity>, <responsecode>, <action>, <vendorinfo>, <version>, <objecttype>
Evid 18900 : McAfee ePO Policy Auditor MessagesN/A<dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <severity>, <vendorinfo>, <version>, <result>
Evid 18905 : McAfee ePO Policy Assessment MessagesN/A<dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <severity>, <vendorinfo>, <version>, <result>
Evid 19101/9115/19125/19136 : McAfee ePO DLPN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <threatname>, <policy>, <severity>, <vendorinfo>, <version>, 
Evid 207(20/48/61/76/78/95), 208(31/46): McAfee EpN/A<dip>, <dname>, <dmac>, <vmid>, <Severity>, <action>, <domainimpacted>, <account>, <process>, <processid>, <parentprocessname>, <object>, <hash>, <objecttype>, <reason>, <vendorinfo>, <version>, <parentprocesspath>, <domainorigin>, <login>
Evid 20835 : McAfee ePO App Control MessagesN/A<dname>, <dip>, <dmac>, <vmid>, <severity>, <action>, <process>, <processid>, <domainorigin>, <login>, <object>, <parentprocessname>, <parentprocesspath>. <command>, <hash>, <vendorinfo>, <version>
Evid 30030 : McAfee ePO Drive Encryption MessagesN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <severity>, <vendorinfo>, <version>, <objecttype>
EVID : 1202 : EPO - Scan StartedN/A<dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity>, <vendorinfo>, <version>
EVID : 18059 : EPO - Network Threat BlockedN/A<vmid>, <subject>, <threatname>, <action>, <result>, <sip>, <smac>, <dname>, <dip>, <dport>, <dmac>, <severity>, <vendorinfo>, <version>, <domainimpacted>, <account>
EVID : 18060 : EPO - Exploit Attempt DetectedN/A<vmid>, <subject>, <threatname>, <action>, <result>, <domainorigin>, <login>, <process>, <sip>, <smac>, <dname>, <account>, <object>, <dip>, <dport>, <dmac>, <severity>, <vendorinfo>, <version>
EVID : 20559|20500|20503|20504 Device LogsN/A<dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <severity>, <vendorinfo>, <version>
N/A<dname>, <dip>, <dmac>, <vmid>, <severity>, <vendorinfo>, <domainimpacted>, <account>, <process>, <object>, <action>, <version>, <subject>
EPO:1095:ePO-AccessProtectionViolationNot BlockedN/A<vmid>, <subject>, <threatname>, <action>, <result>, <domainorigin>, <login>, <process>, <dname>, <domainimpacted>, <account>, <object>, <severity>, <vendorinfo>, <version>, <dmac>, <dip>
EVID : 1203 : EPO - On-Demand Scan EndN/A<vmid>, <action>, <subject>, <threatname>, <severity>, <vendorinfo>, <version>, <dmac>, <sip>, <domainimpacted>, <account>, <result>
Evid : 1024 Epo Infected File DeletedN/A<dip>, <dmac>, <vendorinfo>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <sname>, <process>, <dname>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <status>, <version>, <size>
EVID : 1284 EPO - On-Demand Scan EndN/A<dip>, <dmac>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <process>, <dname>, <domainimpacted>, <account>, <object>, <objectname>, <status>, <vendorinfo>, <version>
EVID 1087EPO - Access Protection Violation BlockedN/A<dname>, <dip>, <dmac>, <vendorinfo>, <action>, <vmid>, <severity>, <version>, <domainimpacted>, <account>
N/A<dip>, <vendorinfo>, <vmid>, <subject>, <threatname>, <action>, <result>, <domainorigin>, <login>, <process>, <dname>, <domainimpacted>, <account>, <object>, <severity>, <objectname>, <hash>, <version>, <dmac>

EVID : 35112 : EPO ATP - Object Contained

 N/A<vmid>, <subject>, <threatname>, <action>, <result>, <sname>, <domainorigin>, <login>, <parentprocessname>, <dname>, <domaimpacted>, <account>, <process>, <object>, <severity>, <vendorinfo>, <version>, <dmac>, <dip>
EVID : 1278 : EPO - File InfectedN/A<dip>, <dmac>, <vendorinfo>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <sname>, <process>, <dname>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <status>, <version>
EVID 1034 : EPO - No Viruses FoundN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vendorinfo>, <version>, <object>, <vmid>, <severity>
EVID : 1 EPO - Booting DisabledN/A<dip>, <domainimpacted>, <account>, <dmac>, <vendorinfo>, <version>, <object>, <vmid>, <severity>, <dname>
Evid 35002 : EPO - Firewall EventN/A<dname>, <domainimpacted>, <account>, <dmac>, <vendorinfo>, <version>, <object>, <vmid>, <severity>, <action>, <subject>, <threatname>, <severity>, <result>, <sip>, <dip>, <dport>, <protname>, <policy>, <sport>, <size>
EVID : 1064 EPO - Service StartedN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity>
EVID : 1118 EPO - Update SuccessfulN/A<dname>, <dip>, <domainorigin>, <account>, <dmac>, <vendorinfo>, <version>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity>
EVID : 1121 EPO - Update CancelledN/A<dname>, <dip>, <domainorigin>, <account>, <dmac>, <vendorinfo>, <version>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity>
EVID : 18600 EPO - Informational EventN/A<dname>, <dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <process>, <domainimpacted>, <account>, <action>, <subject>, <threatname>, <severity>, <domainorigin>, <url>
EVID : 30000 EPO - Logon EventN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>
EVID : 30001 EPO - Password Changed EventN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>
EVID : 30004 EPO - System Boot EventN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>
EVID : 30006 EPO - Self-recovery EventN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>
EVID : 30012 EPO - Crypt Volume Complete EventN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>, <status>, <object>
EVID : 30017 EPO - General Exception EventN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>, <status>
EVID : 30020 EPO - Upgrade StartN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>
EVID : 30033 EPO - Automatic Booting DeactivatedN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>
EVID : 30035 EPO - Provider Not InstalledN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>
EVID : 30045 EPO - Activation FailureN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>, <responsecode>
EVID : 30112 EPO - Cred Provider EnabledN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>
EVID : 30115 EPO - Incompatible Product DetectedN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>, <object>
EVID 34865 - Protect Mcafee ProcessN/A<dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <dname>, <subject>, <action>, <threatname>, <process>, <severity>, <hash>
EVID 40702 - Endpoint Task StartedN/A<dip>, <dmac>, <account>, <domainimpacted>, <vendorinfo>, <version>, <vmid>, <severity>, <action>, <subject>, <threatname>
EVID : 1025 EPO - Infected File CleanedN/A<dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <size>, <status>
EVID : 1280 : EPO - File DeletedN/A<dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <size>, <status>
EVID : 1282 : EPO - File Delete FailedN/A<dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <size>, <status>
EVID : 1423 : EPO - Delete PendingN/A<dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <size>, <status>, <sname>, <process>, <dname>
EVID : 1428 : EPO - File Still ExistsN/A<dip>, <dmac>, <vendorinfo>, <version>, <vmid>, <subject>, <severity>, <threatname>, <action>, <result>, <domainimpacted>, <account>, <object>, <objectname>, <hash>, <size>, <status>, <sname, <process>, <dname>
EVID 1087 : Epo-On-access Scan startedN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity>
EVID 1088 : EPO - On-access Scan StoppedN/A<dname>, <dip>, <account>, <domainimpacted>, <dmac>, <vendorinfo>, <version>, <vmid>, <action>, <subject>, <result>, <threatname>, <severity>
General Catch All LevelN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vendorinfo>, <version>, <object>, <vmid>, <severity>

Revision History

KB Version

Log Type

Change Type


KB 7.1.586.0Syslog - McAfee ePO v5.10New Log Source TypeNew Device Support
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.