: Enable Log Forwarding to an External Logging Platform
Focus
Focus

Enable Log Forwarding to an External Logging Platform

Table of Contents

Enable Log Forwarding to an External Logging Platform

The ESM Console and ESM Servers collectively generate logs for over 60 types of events—including security events, policy configuration changes, and monitoring events (agent and server)—that can be forwarded to an external logging platform. By enabling log forwarding the ESM can forward all or some of these logs to an external service for long-term storage and analysis.
The ESM component which forwards the logs varies depending on the type of event. For example, if you monitor verdict changes, the ESM Console sends logs when you override the verdict for a hash. If WildFire changes the verdict, the ESM Server sends the logs. In a deployment with multiple ESM Servers, all ESM Servers are capable of forwarding logs.
To send logs, the ESM components bypass any proxy settings and use TCP or SSL for reliable and secure transport of logs, or UDP for non-secure transport. With SSL, the ESM component uses the certificate of the external logging platform for secure communication.
The ESM supports the following log formats (CEF, LEEF, or Syslog) that the ESM uses to send the logs.
The date/time of the each logged event is in UTC.
  1. Enable log forwarding.
    From the ESM Console, select SettingsESMSyslog, and then Enable Syslog.
  2. Configure the settings to send logs from ESM components to an external logging platform. To send logs to an email, see Forward Logs to Email.
    Configure the following settings:
    • Syslog Server—Hostname or IP address of the external logging platform.
    • Syslog Port—Communication port of the external logging platform, such as 514.
    • Syslog Protocol—The log format the ESM uses to send reports: CEF, LEEF, or Syslog.
    • Keep-alive Timeout—Period (in minutes) in which Traps sends a keep-alive message to the external logging platform (default is 0; range is 0 to 2,147,483,647). A value of 0 specifies that you do not want to send a keep-alive message to the external logging platform.
    • Communication Protocol—Transport layer protocol that the ESM uses to send syslog reports: TCP, TCP with SSL, or UDP.
  3. Select the events that you want to send to the external logging platform.
    In the Logging Events area, select one or more of the events. Scroll through the list to see additional types of events you can send.
  4. Save your settings.
    Click Save.
  5. Verify the configuration of your settings.
    Click Check Connectivity. The ESM Console sends a test communication to the external logging platform using the settings you configured. If you do not receive the test message, confirm that your settings are correct and then try again.