Security Information and Event Management (SIEM) technology gathers information about security alerts generated by network hardware and software components. It centralizes this data and generates reports to help you monitor activity, perform log audits, and respond to incidents. AirWatch integrates with your SIEM tools by sending event logs using Syslog.
The event messages sent are the same that display from the Event Logs page in the AirWatch Console with the same Event Categories. During syslog configuration, you can opt to send Console events, Device events, or both. Any events generated by the AirWatch Console are sent to your SIEM tool according to the scheduler settings. The only way for you to control which events send messages is to customize the logging levels at the Events Settings system settings page.
On the Events Settings page, you can select a logging level for both the Console and Devices. Any logging level you select applies to what is shown in AirWatch, stored in the AirWatch database, and sent to your SIEM tool. Currently, you cannot opt to generate and store all events in AirWatch while sending a separate batch of select messages to your SIEM tool, or conversely.
Event logs are sent to a SIEM tool for security and convenience:
- Security – Keep logs off site in a secure location in your SIEM systems.
- Convenience – Store logs in a central location for easy access.