ok. thanks

I registered syslog server with TLS 1.2.  in "ePO > Configuration > Registred servers".

and I clicked [Test Connection] button. so the result is "Syslog connection sucess".

but, After that, despite the occurrence of a firewall threat event in ENS on any endpoint, ePO does not forward the event message to syslog.
What should I do in addition?

Thanks. 

What does the eventparser log show for any errors?  You can also run a wireshark when starting up eventparser service to see what is happening with the handshake.  

Hello,

Apologies for jumping in this thread, but I believe my question will also help the author. When are the events forwarded to Syslog exactly? Are they sent to Syslog by the event parser as soon as they are received (constant flow of events), or are they cached and then sent in bulk? 

I am asking because upon checking the Audit Log I can see only few "Forward events" entries per day, while there are hundreds of systems connected to the respective ePO / Agent handlers. 

Events are forwarded as soon as they hit the eventparser folder and processed by eventparser, never cached and sent in bulk.  Those would also not be logged in the audit log, or there would be nothing but that in the log.  You may see that if you have an automatic response that sends events to an snmp server or something like that - I would have to see what the event was to know for sure.  You can match that with server task log also to see what was running.

Otherwise you have to look at the eventparser log to see what the errors are.  If you see ssl handshake errors, then you would first probably want to get an nmap output from the syslog server on their ssl port.

KB91194 - syslog tls requirements

kb91115 - how to run nmap

If all else fails, stop eventparser, start up wireshark on epo server, start up eventparser.  When you see failures in the log, check wireshark for the client hello, server hello response.  If there is no server hello response, then syslog isn't set up to use tls or they are using wrong port.

Additionally, if the syslog server requires mutual authentication, such as a cert returned from epo, that will fail - we don't support mutual authentication with syslog.