IMPORTANT:The CEF Log Forward Policy is not available in Advanced Authentication as a Service (SaaS) version
In this policy, you can configure settings to forward the logs to an external Syslog server. The central logging server can be used for log forwarding. To configure the policy, perform the following steps:
Set Enable to ON.
Set ArcSight CEF standard to ON to forward the logs to Syslog server that comply with ArcSight CEF format.
Specify the IP address of the remote logging server in Syslog server.
Specify the port of the remote logging server in Port.
Select an applicable transfer protocol from Transport.
IMPORTANT:For Risk Audit events, only TCP is supported.
If you selected TCP with TLS from Transport, you can upload the CA certificate to secure the TLS connection between the Advanced Authentication Server and external Syslog server.
Ignore certs is set to OFF, by default. When set to OFF, the connection is not validated by the CA certificate. Set Ignore certs to ON to secure the TLS connection with the provided certificate.
Click Choose File against CA certificates and select the CA certificate to secure the TLS connection.
Click Save.
NOTE:The same Syslog configuration is used for each server type. Each server type in the appliance records its own log file.
All logs of the Logs section except the Async and WebAuth logs are forwarded to the external Syslog server. For more information about logs, see Section 28.0, Logging.
For more information about how to integrate Advanced Authentication with external log management server, see an example Configuring Integration with Sentinel
.