Security Information and Event Management (SIEM) technology gathers information about security alerts generated by network hardware and software components. It centralizes this data and generates reports to help you monitor activity, perform log audits, and respond to incidents. Workspace ONE UEM integrates with your SIEM tools by sending event logs using Syslog.

The event messages sent are the same that display from the Event Logs page in the Workspace ONE UEM console with the same Event Categories. During syslog configuration, you can opt to send Console events, Device events, or both. Any events generated by the Workspace ONE UEM console are sent to your SIEM tool according to the scheduler settings. The only way for you to control which events send messages is to customize the logging levels at the Events Settings system settings page.

On the Events Settings page, you can select a logging level for both the Console and Devices. Any logging level you select applies to what is shown in Workspace ONE UEM, stored in the database, and sent to your SIEM tool. Currently, you cannot opt to generate and store all events in Workspace ONE UEM while sending a separate batch of select messages to your SIEM tool, or conversely.

Integrating Advantages

Event logs are sent to a SIEM tool for security and convenience:

  • Security – Keep logs off site in a secure location in your SIEM systems.
  • Convenience – Store logs in a central location for easy access.

The data transmitted through the syslog server is tied to event data. For example, a device event categorized with the Debug severity by the Workspace ONE UEM console, the syslog server uses the same severity. You can filter these settings but you cannot change the severity categorization of the events in the Workspace ONE UEM console.

Console Alerts

An alert is sent to console administrators when the logging server fails to send an audit record to the Syslog server. In Account Settings, administrators can configure how they receive alerts. Alerts can be set for console, email, or both.

Types of Notifications

  • High - This alert shows a message for the initial failure.
  • Resolved - This alert appears when the server is restored and the audit record is sent to the Syslog server.