Focus

Traps Endpoint Security Manager Administrator's Guide

Enable Log Forwarding to an External Logging Platform Using the DB Configuration Tool

Table of Contents

Enable Log Forwarding to an External Logging Platform Using the DB Configuration Tool

The Endpoint Security Manager can write logs to an external logging platform, such as security information and event management (SIEM), Service Organization Controls (SOCs), or syslog, in addition to storing its logs internally. Specifying an external logging platform allows you to view aggregated logs from all ESM Servers. You can enable external reporting using the Endpoint Security Manager (see Forward Logs to an External Logging Platform) or using the Database (DB) Configuration Tool.

The DB Configuration Tool is a command-line interface that provides an alternative to managing basic server settings using the ESM Console. You can access the DB Configuration Tool using a Microsoft MS-DOS command prompt run as an administrator. The DB Configuration Tool is located in the Server folder on the ESM Server.

All commands run using the DB Configuration Tool are case sensitive.

By default, log forwarding is disabled.

Open a command prompt as an administrator:
- Select StartAll ProgramsAccessories. Right-click Command prompt, and then select Run as administrator.
- Select Start. In the Start Search box, type cmd. Then, to open the command prompt as an administrator, press CTRL+SHIFT+ENTER.

Navigate to the folder that contains the DB Configuration Tool:

C:\Users\Administrator> cd
C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server

(Optional) View the existing reporting settings:

C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server>dbconfig reporting show
EnableSyslog = False
SyslogServer =
SyslogPort = 0
SyslogProtocol = Cef
KeepAliveTimeout = 0
MaximumReportsCount = 500000
MinReportsCount = 450000
SyslogCommunicationType = Udp

Enable log forwarding to an external logging platform such as a syslog server:

C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig reporting EnableSyslog true

Specify the IP address (or hostname) of the external logging platform:

C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig reporting SyslogServer <ipaddress>

Specify the communication port for the external logging platform, a value between 1 and 65535 (default is 514):

C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig reporting SyslogPort <portnumber>

Specify the protocol that the ESM Console will use to send reports, either Cef, Leef, or Rfc5424 (syslog).

C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig reporting SyslogProtocol [Cef | Leef | Rfc5424]

(Optional) Specify a timespan (in minutes) where the endpoint sends a keep alive message to the log or report, a value of 0 or greater (default is 0):
```
C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig reporting KeepAliveTimeout <value>
```
(Optional) Specify the maximum number of report notifications to store in the database, a value of 0 or greater (default is 4000):
```
C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server> dbconfig reporting MaximumReportsCount <value>
```
For example, specifying a maximum report count of 5000 notifications means the Endpoint Security Manager will discard older notifications higher than 5000.
(Optional) Specify the minimum number of report notifications to store in the database, a value of 0 or greater (default is 5000):
```
C:\Program Files\Palo Alto Networks\Endpoint
Security Manager\Server> dbconfig reporting
MinReportsCount <value>
```

Enable Log Forwarding to an External Logging Platform

CEF Format