Enable Log Forwarding to an External Logging Platform
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Enable Log Forwarding to an External Logging Platform
The ESM Console and ESM Servers collectively
generate logs for over 60 types of events—including security events,
policy configuration changes, and monitoring events (agent and server)—that can
be forwarded to an external logging platform. By enabling log forwarding
the ESM can forward all or some of these logs to an external service
for long-term storage and analysis.
The ESM component which
forwards the logs varies depending on the type of event. For example,
if you monitor verdict changes, the ESM Console sends logs when
you override the verdict for a hash. If WildFire changes the verdict,
the ESM Server sends the logs. In a deployment with multiple ESM
Servers, all ESM Servers are capable of forwarding logs.
To
send logs, the ESM components bypass any proxy settings and use
TCP or SSL for reliable and secure transport of logs, or UDP for
non-secure transport. With SSL, the ESM component uses the certificate
of the external logging platform for secure communication.
The
ESM supports the following log formats (CEF, LEEF,
or Syslog) that the ESM uses to send the
logs.
The date/time of the each logged event is in UTC.
- Enable log forwarding.From the ESM Console, select SettingsESMSyslog, and then Enable Syslog.
- Configure the settings to send logs from ESM components
to an external logging platform. To send logs to an email, see Forward
Logs to Email.Configure the following settings:
- Syslog Server—Hostname or IP address of the external logging platform.
- Syslog Port—Communication port of the external logging platform, such as 514.
- Syslog Protocol—The log format the ESM uses to send reports: CEF, LEEF, or Syslog.
- Keep-alive Timeout—Period (in minutes) in which Traps sends a keep-alive message to the external logging platform (default is 0; range is 0 to 2,147,483,647). A value of 0 specifies that you do not want to send a keep-alive message to the external logging platform.
- Communication Protocol—Transport layer protocol that the ESM uses to send syslog reports: TCP, TCP with SSL, or UDP.
- Select the events that you want to send to the external
logging platform.In the Logging Events area, select one or more of the events. Scroll through the list to see additional types of events you can send.
- Save your settings.Click Save.
- Verify the configuration of your settings.Click Check Connectivity. The ESM Console sends a test communication to the external logging platform using the settings you configured. If you do not receive the test message, confirm that your settings are correct and then try again.