Question:
How can I configure FTK Central to send system event logs to an external Syslog server?
Answer:
An external Syslog server allows you to collect system logs in a single location. Servers and network devices have limited amount of memory and will recycle their internal event logs after time. Furthermore, in case of a disaster, the logs collected on a failed server might become totally inaccessible. An external Syslog server or a SIEM (Security Information and Event Management) solution will keep the system logs until you purge them and are designed to track, correlate, and analyse a vast amount of log data collected through Syslog protocol.
This article explains how to configure FTK Central to send system event logs to an external Syslog server.
Step 1: On the FTK Central server, navigate to the "%ProgramFiles%\AccessData\Forensic Tools\7.5\bin\" folder.
Step 2: Open the file "ADG.WeblabSelfHost.exe.Config" using a text editor such as Notepad++.
CAUTION: Make sure to take a backup from the file "ADG.WeblabSelfHost.exe.Config" before making any changes.
Step 3: Modify the configuration by adding a new appender to the section "log4net" as shown below:
NOTE: Only lines 12 to 18 and 22 should be added to the configuration file.
<log4net>
<appender name="RollingLogFileAppender" type="log4net.Appender.RollingFileAppender">
<param name="File" value="c:\users\public\Documents\user\AccessDataLogs\adgselfhost.txt" />
<param name="AppendToFile" value="true" />
<param name="MaximumFileSize" value="50MB" />
<param name="RollingStyle" value="Size" />
<param name="MaxSizeRollBackups" value="20" />
<layout type="log4net.Layout.PatternLayout">
<param name="ConversionPattern" value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
</appender>
<appender name="UdpAppender" type="log4net.Appender.UdpAppender">
<remoteAddress value="192.168.1.100" />
<param name="RemotePort" value="514" />
<layout type="log4net.Layout.PatternLayout, log4net">
<param name="ConversionPattern" value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
</appender>
<root>
<level value="INFO" />
<appender-ref ref="RollingLogFileAppender" />
<appender-ref ref="UdpAppender" />
</root>
</log4net>The table below briefly describes the configuration items. You can modify the settings according to your environment and needs.
| Line number | Item | Description |
| 13 | 192.168.1.100 | IP address of the Syslog server |
| 14 | 514 | Syslog port (UDP) |
| 20 | INFO | Logging level (available options: ALL, DEBUG, INFO, ERROR, FATAL, OFF) |
Step 4: Save the changes.
Step 5: Restart the "AccessData Exterro Self Host Service" service.