Question:
How can I configure FTK Central to send system event logs to an external Syslog server?
Answer:
An external Syslog server allows you to collect system logs in a single location. Servers and network devices have limited amount of memory and will recycle their internal event logs after time. Furthermore, in case of a disaster, the logs collected on a failed server might become totally inaccessible. An external Syslog server or a SIEM (Security Information and Event Management) solution will keep the system logs until you purge them and are designed to track, correlate, and analyse a vast amount of log data collected through Syslog protocol.
This article explains how to configure FTK Central to send system event logs to an external Syslog server.
Step 1: On the FTK Central server, navigate to the "%ProgramFiles%\AccessData\Forensic Tools\7.5\bin\" folder.
Step 2: Open the file "ADG.WeblabSelfHost.exe.Config" using a text editor such as Notepad++.
CAUTION: Make sure to take a backup from the file "ADG.WeblabSelfHost.exe.Config" before making any changes.
Step 3: Modify the configuration by adding a new appender to the section "log4net" as shown below:
NOTE: Only lines 12 to 18 and 22 should be added to the configuration file.
<log4net> <appender name="RollingLogFileAppender" type="log4net.Appender.RollingFileAppender"> <param name="File" value="c:\users\public\Documents\user\AccessDataLogs\adgselfhost.txt" /> <param name="AppendToFile" value="true" /> <param name="MaximumFileSize" value="50MB" /> <param name="RollingStyle" value="Size" /> <param name="MaxSizeRollBackups" value="20" /> <layout type="log4net.Layout.PatternLayout"> <param name="ConversionPattern" value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" /> </layout> </appender> <appender name="UdpAppender" type="log4net.Appender.UdpAppender"> <remoteAddress value="192.168.1.100" /> <param name="RemotePort" value="514" /> <layout type="log4net.Layout.PatternLayout, log4net"> <param name="ConversionPattern" value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" /> </layout> </appender> <root> <level value="INFO" /> <appender-ref ref="RollingLogFileAppender" /> <appender-ref ref="UdpAppender" /> </root> </log4net>
The table below briefly describes the configuration items. You can modify the settings according to your environment and needs.
Line number | Item | Description |
13 | 192.168.1.100 | IP address of the Syslog server |
14 | 514 | Syslog port (UDP) |
20 | INFO | Logging level (available options: ALL, DEBUG, INFO, ERROR, FATAL, OFF) |
Step 4: Save the changes.
Step 5: Restart the "AccessData Exterro Self Host Service" service.