SEP 14 Client Security Log Ingestion

Good morning all,

Currently I am able to export logs from SEPM 14 to SEM 2019 but the Client Security Logs are nowhere to be found. These are the IPS events. Confirmed they dump to file correctly from the same logging area inside SEPM. I am using the SEP11 connector with log normalization enabled.. which cuts out the computer name at the start of other existing successful SEPM logs.

Just looking to see if anyone has successfully and fully exported SEPM 14 logs to SEM.

  • I checked the logs on the appliance (syslog6) and the IPS events are there.

    Seems as if SEM can't parse these logs since they never appear in SEM.

    Are we able to introduce custom GROK filters or do we have to open a ticket with support as a request for enhancement?

  • I would open a ticket and also request feature enhancement.  I've also noticed some events are often missing the userid or machine name.  I too am using SEP14 now.  Before I upgraded from SEP12 to SEP14 I was getting millions of SecurityCenter Errors Service Warning Provider SID SecurityCenter 17.  I looked it up and MS said it was an AV issue and luckily SEP14 fixed these.  Half of all my events in SEM were these error messages from every single windows machine in my environment.