How can I configure FTK Central to send system event logs to an external Syslog server?


An external Syslog server allows you to collect system logs in a single location. Servers and network devices have limited amount of memory and will recycle their internal event logs after time. Furthermore, in case of a disaster, the logs collected on a failed server might become totally inaccessible. An external Syslog server or a SIEM (Security Information and Event Management) solution will keep the system logs until you purge them and are designed to track, correlate, and analyse a vast amount of log data collected through Syslog protocol.

This article explains how to configure FTK Central to send system event logs to an external Syslog server.

Step 1: On the FTK Central server, navigate to the "%ProgramFiles%\AccessData\Forensic Tools\7.5\bin\" folder.

Step 2: Open the file "ADG.WeblabSelfHost.exe.Config" using a text editor such as Notepad++.

CAUTION: Make sure to take a backup from the file "ADG.WeblabSelfHost.exe.Config" before making any changes.

Step 3: Modify the configuration by adding a new appender to the section "log4net" as shown below:

NOTE: Only lines 12 to 18 and 22 should be added to the configuration file.

  <appender name="RollingLogFileAppender" type="log4net.Appender.RollingFileAppender">
    <param name="File" value="c:\users\public\Documents\user\AccessDataLogs\adgselfhost.txt" />
    <param name="AppendToFile" value="true" />
    <param name="MaximumFileSize" value="50MB" />
    <param name="RollingStyle" value="Size" />
    <param name="MaxSizeRollBackups" value="20" />
    <layout type="log4net.Layout.PatternLayout">
      <param name="ConversionPattern" value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
  <appender name="UdpAppender" type="log4net.Appender.UdpAppender">
    <remoteAddress value="" />
    <param name="RemotePort" value="514" />
    <layout type="log4net.Layout.PatternLayout, log4net">
      <param name="ConversionPattern" value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
    <level value="INFO" />
    <appender-ref ref="RollingLogFileAppender" />
    <appender-ref ref="UdpAppender" />

The table below briefly describes the configuration items. You can modify the settings according to your environment and needs.

Line numberItemDescription
13192.168.1.100IP address of the Syslog server
14514Syslog port (UDP)
20INFOLogging level (available options: ALL, DEBUG, INFO, ERROR, FATAL, OFF)

Step 4: Save the changes.

Step 5: Restart the "AccessData Exterro Self Host Service" service.