How to integrate AirWatch with Security Information and Event Management (SIEM) tools
AirWatch integrates with Security Information and Event Management (SIEM) tools, such as Splunk, using the syslog protocol. This configuration can be set in the Admin Console by navigating to Groups & Settings > All Settings > System > Enterprise Integration > Syslog. The hostname should be set to the URL for the SIEM tool and the port is the port number to communicate with the SIEM tool.
AirWatch can send all events seen in the console under Hub > Report & Analytics > Events > Device and Console Events. However, the specific events sent are configurable under the Advanced tab on the syslog configuration page in the Admin Console. For more information on the configuration of syslog integration with AirWatch, refer to pages 8 & 9 of the Reports & Analytics Guide.