Modify Log Server elements

One Log Server element is automatically created during SMC installation. You can change the settings as necessary.

You can:

  • Rename the Log Server element.
  • Change the Log Server’s IP address.
  • Change the platform on which the Log Server runs.
  • Define other Log Servers that you can use as backup Log Servers.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Home.
  2. Browse to Others > Log Server.
  3. Right-click the Log Server, then select Properties.
  4. Change the Log Server properties.
    Note: We recommend that you always use the default port 3020 if possible. To use a non-standard port, manually add Access rules to allow communications using the new port from the NGFW Engines to the Log Server.
    Note: Be careful when excluding Log Servers from reporting. If you select this setting for a Log Server that is in use, there is no warning that generated reports are missing data.
  5. Click OK.

Log Server Properties dialog box

Use this dialog box to define Log Server properties.

Option Definition
General tab
Name The name of the element.
IPv4 Address Enter the IPv4 address of the server. The server can have both an IPv4 and an IPv6 address.
IPv6 Address Enter the IPv6 address of the server. The server can have both an IPv4 and an IPv6 address.
Resolve Automatically resolves the IP address of the server.
Location Specifies the location for the server if there is a NAT device between the server and other SMC components.
Location Specifies the location for the server if there is a NAT device between the server and other SMC components.
Contact Addresses section
Default Used by default when a component that belongs to another Location connects to this server.
Exceptions Allows you to define exceptions to the default contact address. Opens the Exceptions dialog box.
Port

(Optional)

Enter the Log Server's TCP Port Number.

We recommend that you always use the default port 3020 if possible.

Log Storage Full

Specifies the action when the log storage on the Log Server is full.

  • Stop Receiving — The Log Server stops receiving log entries.
  • Overwrite Oldest — The Log Server overwrites log entries, starting with the oldest log entries.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds commands to the element right-click menu.Click Select to select an element.
Comment

(Optional)

A comment for your own reference.
Exclude from Log Browsing, Statistics and Reporting

(Optional)

Select this option if you do not want the Log Server to gather statistical information for monitoring and you do not want its logging data to be included in Reports. In most situations, it is better to leave this option deselected.
Option Definition
High Availability tab
Secondary Log Servers Shows the secondary Log Servers. Click Add to add an element to the list, or Remove to remove the selected element.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).
Option Definition
Log Forwarding tab
Target Host The Host element that represents the target host to which the log data is forwarded.

Double-clicking this cell opens the Select Host dialog box.

Service The network protocol for forwarding the log data. Click the cell, then select the Service from the drop-down list.
  • TCP
  • UDP (For IPFIX and NetFlow v9, this is the only available network protocol.)
  • TCP with TLS
Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the Service you select is also used as the Service in the Access rule.
Port The port that is used for log forwarding. The default port used by IPFIX/NetFlow data collectors is 2055. Double-click to edit the cell.
Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the port you select is also used as the port in the Access rule.
Format Click the cell, then select the log forwarding format from the drop-down list.
  • CSV — Forwards log data in comma separated value format.
  • XML — Forwards log data in XML format.
  • CEF — Forwards log data in common event format.
  • LEEF — Forwards log data in log extended event format.
  • NetFlow v9 — Forwards log data in a format that is compatible with NetFlow v9.
  • IPFIX — Forwards log data in a format that is compatible with IPFIX.
  • McAfee ESM — Forwards log data in a format that is compatible with McAfee ESM.
  • Forcepoint UEBA — This option is not yet supported. For more information about Forcepoint UEBA, see the Forcepoint UEBA documentation at https://⁠support.forcepoint.com/Documentation.
Filter

(Optional)

An optional local filter that defines which log data is forwarded. The local filter is only applied to the log data that matches the Log Forwarding rule. Double-clicking this cell opens the Select Local Filter Properties dialog box.
TLS Profile Allows you to select a TLS Profile element that contains, for example, the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Double-clicking this cell opens the Select a TLS Profile dialog box. The TLS Profile is only available if you have selected TCP with TLS as the Service.
TLS Server Identity

(Optional, only if a TLS Profile is selected)

Select the identity of a TLS server to secure the TLS-protected traffic from the Log Server to an external syslog server. Double-clicking this cell opens the TLS Server Identity dialog box.
Data Type The type of log data that is forwarded. Click the cell, then select the log data type from the drop-down list. Click Add to add a row to the table, or Remove to remove the selected row.
Log Server TLS Certificate Used for Forwarding Logs Select the certificate for TLS-protected log forwarding.
  • Use Internal Certificate — Log Server certificate (signed by the Internal CA) is used for TLS-protected syslog communication.
  • Use Imported Certificate — A certificate signed by an external CA is used. Click Select to select a certificate or to create a TLS Credentials element.
  • No Client Authentication — The Log Server's certificate is not authenticated.
Option Definition
NAT tab
Firewall Shows the selected firewall.
NAT Type Shows the NAT translation type: Static or Dynamic.
Private IP Address Shows the Private IP Address.
Public IP Address Shows the defined Public IP Address.
Port Filter Shows the selected Port Filters.
Comment An optional comment for your own reference.
Add NAT Definition Opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition Removes the selected NAT definition from the list.