1. Go to Administration > Settings > Syslog Settings.  The Syslog Settings screen should then appear.
2. Select the Enable syslog forwarding check box.
3. Configure the following settings for the server that receives the forwarded syslogs:

   • Server address: Blumira Sensor IP

   • Port: Syslog server port number, 514 should be used

   • Protocol: Select the transmission protocol, TCP should be used

     If SSL/TLS is selected, Apex Central accepts valid self-signed certificates by default.

     • If the server certificate contains a Subject Alternative Name, the Subject Alternative Name must contain the server FQDN or IP address.

     • For additional security, use a valid server certificate or upload the server certificate to Apex Central.

4. (Optional unless SSL/TLS is used for syslog) To upload a server certificate if needed:
   1. Select the Use server certificate check box.
   2. Click Select to select the server certificate from your computer.
   3. Click Open – Apex Central uploads the selected server certificate.
      Note:

      • Apex Central only supports server certificates in X.509 format with .DER or .PEM encoding.

        For more information, see https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them.

      • Apex Central only supports uploading server certificates for SSL/TLS transmissions.

5. (Optional unless a proxy server is required) To use a proxy server for syslog forwarding, select the Use a SOCKS proxy server check box.

   • Apex Central only supports syslog forwarding over a SOCKS protocol proxy server for SSL/TLS or TCP transmissions.

   • Syslog forwarding does not support HTTP proxy servers. To use a proxy server for syslog forwarding, click Configure proxy settings and select a SOCKS protocol server on the Proxy Settingsscreen.

     For more information, see Configuring Proxy Settings for Component/License Updates, Cloud Services, and Syslog Forwarding.

   Apex Central uses the proxy server configured on the Proxy Settings screen (Administration > Settings > Proxy Settings) for syslog forwarding.

6. Select the log format, you’ll want to use CEF.  Below are the options you’ll likely see.

   • CEF: Uses the standard Common Event Format (CEF) for log messages

   • Apex Central format: Sets the syslog Facility code to “Local0” and the Severity code to “Notice”

   For more information, see Supported Log Types and Formats.

7. Configure the frequency for when Apex Central forwards the logs.  This should be every few minutes at the most to ensure best detection.
8. Select the log type(s) to forward:
   1. Select a all log categories from the Log type drop-down list:

      You can select log types from multiple log categories.

      • Security logs

      • Product information

   2. Select the check box(es) for the log(s) you want to forward.

      Apex Central displays the total number of selected log types next to the Log type drop-down list.

   3. Select another log category from Log type drop-down list to select additional logs types to forward to ensure full coverage.
9. (Optional) Click Test Connection to test the server connection.  This does not save the syslog settings, but, when using TCP or SSL/TLS should give you an idea as to the configuration status.  When using UDP you will not get a successful connection due to the nature of UDP, however, you can request Blumira Support validate data is landing.

   The syslog server connection status appears at the top of the screen.

10. Click Save.

Apex Central starts forwarding logs to the configured syslog server.

To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.

For more information, see Querying and Viewing Commands.