Search another article?
Syslog Configuration on Apex
Configure Syslog Settings For Apex Central On-premise
Configure Syslog Settings Apex SaaS
Configure Syslog Settings For Apex Central On-premise
In order to send logs to SGBox you need to modify first you syslog settings:
- Go to Detections > Notifications > Notification Method Settings. The Notification Method Settings screen will appear.
- In the Syslog Settings section, specify the following:
- Server IP address: Type the IPv6 or IPv4 address of the syslog server
- Port: The port number of the syslog server
- Facility: Select the facility code
- Click Save
Log Forwarder can send several log types from the Apex Central database to a syslog server in either Common Event Format (CEF) or Apex Central format.
Enable Syslog now Syslog Forwarding:
- Log in to Apex Central console using an Administrator account
- Go to Administration > Settings > Syslog Settings. The Syslog Settings screen appears.
- Select the Enable syslog forwarding check box.
- Configure the following settings for the server that receives the forwarded syslogs:
- Server address: FQDN or IP address of the receiving Syslog or SIEM server.
- Port: Syslog server port number. For UDP, the IANA standard port number is 514. For TLS, it’s usually port 6514.
- Protocol: Select TCP, UDP, or SSL/TLS as the method of communication with the syslog server
- NOTE: If SSL/TLS is selected, by default Apex Central accepts receiver’s SSL certificate without validation.
- For best security practice, upload CA certificate that issued receiver’s SSL certificate to enable SSL certificate validation.
- If the receiver SSL certificate is a self-sign certificate, it must contains Subject and Subject Alternative Name, the CN Name and DNS Name must contain the Receiver host FQDN or IP address.
- Apex Central only supports CA certificates in X.509 format with .DER or .PEM encoding
(optional) To use a proxy server for syslog forwarding, select the Use a SOCKS proxy server check box. Apex Central uses the proxy server configured on the Proxy Settings screen (Administration > Settings > Proxy Settings) for syslog forwarding.
NOTE:
Apex Central only supports syslog forwarding over a SOCKS protocol proxy server for SSL/TLS or TCP transmissions.
Syslog forwarding does not support HTTP proxy servers. To use a proxy server for syslog forwarding, click Configure proxy settings and select a SOCKS protocol server on the Proxy Settings screen.
- Select the log Format:
- CEF: Uses the standard Common Event Format (CEF) for log messages
- Select the log type(s) to forward:
- Select a log category from the Log type dropdown list:
- Security logs
- Product information
- Select the check box(es) for the log(s) you want to forward. Apex Central displays the total number of selected log types next to the Log type dropdown list.
- (Optional) Select another log category from Log type dropdown list to select additional logs types to forward.
- Select a log category from the Log type dropdown list:
- Click Test Connection to test the server connection. The syslog server connection status will appear at the top of the screen.
- Click Save
NOTE:
- Apex Central starts forwarding logs to the configured syslog server.
- To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.
Configure Syslog Settings Apex SaaS
Log Forwarder can send several log types from the Apex Central database to a syslog server in either Common Event Format (CEF) or Apex Central format.
- Log in to Apex Central console using an Administrator account.
- Go to Administration → Settings → Syslog Settings. The Syslog Settings screen appears.
- Select the Enable syslog forwarding check box.
- Configure the following settings for the server that receives the forwarded syslogs:
- Server address: FQDN or IP address of the receiving Syslog or SIEM server.
- Port: Syslog server port number. For UDP, the IANA standard port number is 514. For TLS, it’s usually port 6514.
- Protocol: Select TCP, UDP, or SSL/TLS as the method of communication with the syslog server
- NOTE: For best security practice, upload CA certificate that issued receiver’s SSL certificate to enable SSL certificate validation. If the receiver SSL certificate is a self-sign certificate, it must contains Subject and Subject Alternative Name, the CN Name and DNS Name must contain the Receiver host FQDN or IP address.Apex Central only supports CA certificates in X.509 format with .DER or .PEM encoding
- Select the log Format:
- CEF: Uses the standard Common Event Format (CEF) for log messages
- Configure the Frequency for when Apex Central forwards the logs.
- Select the log type(s) to forward:
- Select a log category from the Log type dropdown list:
- Security log
- Product information
- Select the check box for the log(s) you want to forward. Apex Central displays the total number of selected log types next to the Log type dropdown list.
- (Optional) Select another log category from Log type dropdown list to select additional logs types to forward.
- Select a log category from the Log type dropdown list:
- Click Test Connection to test the server connection. The syslog server connection status will appear at the top of the screen.
- Click Save.
NOTE:
- Apex Central starts forwarding logs to the configured syslog server.
- To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.
If SSL/TLS is selected, by default Apex Central accepts receiver's SSL certificate without validation
- For best security practice, upload CA certificate that issued receiver’s SSL certificate to enable SSL certificate validation.
- If the receiver SSL certificate is a self-sign certificate, it must contains Subject and Subject Alternative Name, the CN Name and DNS Name must contain the Receiver host FQDN or IP address.
- Apex Central only supports CA certificates in X.509 format with .DER or .PEM encoding