Prior to AirWatch 8.2, the Console and Device Event Logs are sent to integrated Syslog systems in scheduled batches (by default every 12 hours). As events occur, they are stored in the database and will show up in the Console UI. At each scheduled interval, a process will review the global list of events, identify any that occurred at an organization group with Syslog integration configured, and batch those events to send to the Syslog system. There are a few limitations to this approach. First of all, events in the Syslog system are not updated in real time. If a critical event occurs, this will not show up in the system until several hours later (although it will show up immediately in the Console UI). Additionally, there could be performance issues in some environments during the global sync process, depending on the number of total events.
In AirWatch 8.2, the workflow to send events to the Syslog system has been optimized. The process that stores the data of events in the database will, at the same time, send that same information over to the Syslog system rather than waiting for a scheduled time to do so. This allows numerous benefits, such as real-time data updates, more efficient processing, and the elimination of many performance issues surrounding this process.
Note regarding TCP vs. UDP protocols
When configuring Syslog integration, you will have the ability to configure either a UDP or TCP connection depending on what your system supports, with UDP being the default. As the UDP protocol is not necessarily a reliable protocol, it is possible that any specific message is not properly received by the Syslog system. However, all data is stored in the AirWatch database for a period of time until it is purged, so the Event Logs section in the AirWatch Admin Console should be used whenever there is any uncertainty in the data received.