First things first, this is basically a Problem in Symantecs Product, I
wonder though if there's a workaround on the Sentinel side.

As it is, Symantec Endpoint Protection 12.1, when configured to log to
Sentinel via Syslog incorrectly (in violation of the RFC) sends
"SymantecServer" as the hostname, more precisely they send

"SymantecServer <RealHostname>"

so that if one has multiple such servers, they get lumped together in
Sentinel as one under the name "SymantecServer".

Apart from kicking Symantec in the behind, is there anything I can do in
Sentinel to distinguish the individual observers? Like some logic to
look at the <Realhostname> that it sends, aka ignore the trailing
"Symantecserver " somehow?

Massimo Rosen
Novell Knowledge Partner
No emails please!