Use the Syslog Settings screen to configure Apex Central to forward supported logs to a syslog server.

Note:

  • If you migrated to Apex Central from a previous Control Manager installation, Apex Central automatically imports your previous syslog forwarding settings configured using the LogForwarder tool (<Control Manager installation directory>\LogForwarder.exe).

  • After migrating to Apex Central, you will no longer be able to execute the LogForwarder tool.

Configuring Apex One Logging

  1. Go to Administration > Settings > Syslog Settings.  The Syslog Settings screen should then appear.
  2. Select the Enable syslog forwarding check box.
  3. Configure the following settings for the server that receives the forwarded syslogs:
    • Server address: Blumira Sensor IP

    • Port: Syslog server port number, 514 should be used

    • Protocol: Select the transmission protocol, TCP should be used

      If SSL/TLS is selected, Apex Central accepts valid self-signed certificates by default.

      • If the server certificate contains a Subject Alternative Name, the Subject Alternative Name must contain the server FQDN or IP address.

      • For additional security, use a valid server certificate or upload the server certificate to Apex Central.

  4. (Optional unless SSL/TLS is used for syslog) To upload a server certificate if needed:
    1. Select the Use server certificate check box.
    2. Click Select to select the server certificate from your computer.
    3. Click Open – Apex Central uploads the selected server certificate.
      Note:

  5. (Optional unless a proxy server is required) To use a proxy server for syslog forwarding, select the Use a SOCKS proxy server check box.

    Apex Central uses the proxy server configured on the Proxy Settings screen (Administration > Settings > Proxy Settings) for syslog forwarding.

  6. Select the log format, you’ll want to use CEF.  Below are the options you’ll likely see.
    • CEF: Uses the standard Common Event Format (CEF) for log messages

    • Apex Central format: Sets the syslog Facility code to “Local0” and the Severity code to “Notice”

    For more information, see Supported Log Types and Formats.

  7. Configure the frequency for when Apex Central forwards the logs.  This should be every few minutes at the most to ensure best detection.
  8. Select the log type(s) to forward:
    1. Select a all log categories from the Log type drop-down list:

      You can select log types from multiple log categories.

      • Security logs

      • Product information

    2. Select the check box(es) for the log(s) you want to forward.

      Apex Central displays the total number of selected log types next to the Log type drop-down list.

    3. Select another log category from Log type drop-down list to select additional logs types to forward to ensure full coverage.
  9. (Optional) Click Test Connection to test the server connection.  This does not save the syslog settings, but, when using TCP or SSL/TLS should give you an idea as to the configuration status.  When using UDP you will not get a successful connection due to the nature of UDP, however, you can request Blumira Support validate data is landing.

    The syslog server connection status appears at the top of the screen.

  10. Click Save.

Apex Central starts forwarding logs to the configured syslog server.

To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.

For more information, see Querying and Viewing Commands.