Device Details

Device NameSyslog - McAfee ePO
Device TypeePolicy Orchestrator v5.10
Supported Model Name/NumberN/A
Supported Software VersionAll
Collection MethodSyslog
Configurable Log OutputYes
Log Source TypeSyslog - McAfee ePO
Log Processing PolicyLogRhythm Default v2.0
Additional InformationN/A

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

TypeProduct VersionSupported Schema Fields
McAfee ePO Catch AllN/A<tag1>, <tag2>, <tag3>
EVID 1027...18054 : Security MessagesN/A<vmid>, <severity>, <threatname>, <action>, <result>, <sname>, <domainorigin>, <login>, <process>, <dname>, <domainimpacted>, <account>, <object>
EVID 1048, 1202, 1203 : Security MessagesN/A<dname>, <dmac>, <dip>, <vmid>, <severity>, <object>, <process>, <domainimpacted>, <account>, <action>, <result>, <threatname>
EVID 1092, 1095 : Behavior MessagesN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <severity>, <policy>, <process>, <object>
EVID 1119 : Security MessagesN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <severity>, <threatname>, <result>, <action>
EVID 1202, 1203 : Task MessagesN/A<dname>, <dip>, <domainorigin>, <login>, <dmac>, <vmid>, <severity>
EVID 2401...2427 : Update MessagesN/A<dname>, <dmac>, <dip>, <domainorigin>, <login>, <vmid>, <severity>, <responsecode>, <action>
EVID 18900 : McAfee ePO Policy Auditor MessagesN/A<dname>, <dmac>, <dip>, <account>, <vmid>, <severity>, <domainimpacted>
EVID 18905 : McAfee ePO Policy Assessment MessagesN/A<dname>, <dmac>, <dip>, <domainimpacted>, <account>, <vmid>, <severity>
EVID 19101...19136 : McAfee ePO DLPN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <threatname>, <policy>, <severity>
EVID 20720...20846 : McAfee EpN/A<dip>, <dname>, <dmac>, <vmid>, <Severity>, <action>, <domainimpacted>, <account>, <process>, <processid>, <parentprocessname>, <object>, <hash>, <objecttype>, <reason>
EVID 20835 : McAfee ePO App Control MessagesN/A<dname>, <dip>, <dmac>, <vmid>, <severity>, <action>, <process>, <processid>, <domainimpacted>, <account>, <object>, <parentprocessname>, <command>, <hash>
EVID 30030 : McAfee ePO Drive Encryption MessagesN/A<dname>, <dip>, <domainimpacted>, <account>, <dmac>, <vmid>, <severity>

Revision History

KB Version

Log Type

Change Type


KB 7.1.586.0Syslog - McAfee ePO v5.10New Log Source TypeNew Device Support