Sending Cylance Endpoint Security events to a SIEM solution or syslog server Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance Syslog Guide
  4. Sending Cylance Endpoint Security events to a SIEM solution or syslog server

Sending
Cylance Endpoint Security
 events to a SIEM solution or syslog server

You can configure
Cylance Endpoint Security
 to forward events to a SIEM solution or syslog server. The content of each event is Unicode plain text consisting of key-value pairs, separated by commas. Due to the size limitations of most syslog servers, the details of each message are limited to 2048 characters.
If the
Cylance Endpoint Security
 integration cannot successfully deliver syslog messages to a syslog or SIEM server, an email notification will be sent to administrators (built-in role) with a confirmed email address within an organization.
The maximum number of undelivered messages before the integration is disabled is 400. The first warning email is sent after a third of the maximum number of undelivered messages are sent. Each message attempts to be sent ten times before it fails to forward to a syslog or SIEM server and then transitions to a dead-letter queue.
Due to various factors, there may be delays in the reporting of events to a SIEM solution or syslog server, so it should not be used for real-time or near real-time monitoring.