KB Article | Forcepoint Support

Problem Description

To configure the Log Server in detail, you can edit LogServerConfiguration.txt. Normally, it is not necessary to configure the Log Server outside of the Management Client. However, under special circumstances, you might want more control over the way the Log Server behaves.

Resolution

Steps to edit Log Server configuration parameters:
  1. Stop the Log Server:
    • If you run the Log Server as a service in Windows, you can stop it in the Windows Control Panel’s Services list.
    • In Linux, run the script <installation directory>/bin/sgStopLogSrv.sh.
  2. On the Log Server host, browse to <installation directory>/data/, then open LogServerConfiguration.txt in a text editor.
  3. Change the parameter values, then save the file.
  4. Restart the Log Server.
See below table for editable parameters. Not all parameters are included in the default configuration file. Some parameters might have to be added manually.
Parameter nameDescription
AUDIT_ARCHIVE_DIRDirectory used for archiving audit logs. By default, <installation directory>/data/audit/archive.
AUDIT_DISK_LIMITThe threshold for minimum available disk space for audit logs. If the free disk space goes below this limit, the Log Server stops storing audit logs.
AUDIT_LOG_DIRDirectory used for audit logs. By default, <installation directory>/data/audit/log.
DISK_THRESHOLD_IN_KBYTESThe threshold for minimum available disk space (in kilobytes). If the free disk space goes below this limit, the Log Server stops storing log records (100000 by default).
LOG_BACKUP_DIRDirectory used for Log Server backup files. By default, <installation directory>/backups. The backup files must be moved to a separate media after creating a backup.
LOG_EXPORT_DIRDirectory used for storing the files exported by Log Data tasks. By default, <installation directory>/data/export.
LOG_FW_PORT    Log Server port that listens for connections from the NGFW Engines (3020 by default). Changing this value requires reinstalling the Log Server software.
LOG_LOGFILE_DIRDirectory used for storing the logfile.txt that logs the task scheduler operations. By default, <installation directory>/data.
LOG_QUERY_TIMEOUTTimeout (in milliseconds) for queries in the Logs view (30000 by default).
LOG_SCRIPT_DIRDirectory for the scripts used in Log Data tasks. By default, <installation directory>/data/script.
LOG_SERVER_ADDIP address of the Log Server. Changing this value requires reinstalling the Log Server software.
MGT_SERVER_ADDIP address of the Management Server. Do not change this parameter value directly to the file. Instead, use the sgChangeMgtIPOnLogSrv.bat (or .sh) script to change this parameter value.
NETFLOW_RECEPTION_PORTThe UDP port for receiving NetFlow data. If this parameter has not been defined, the default port (2055 for both Windows and Linux) is used.
Note In Linux, the value of this parameter must always be higher than 1024.
PHY_LOCLog Server database location. By default, <installation directory>/data/db/logserver.
PHY_PORTLog Server database port that the Log Server connects to (1314 by default).
SNMP_COMMUNITYSNMP community string used for sending SNMP messages from the Log Server (public by default).
SNMP_ENTERPRISE_OIDSNMP Enterprise Object Identifier (OID) used for SNMP messages sent from the Log Server (.1.3.6.1.4.1.1369 by default).
SNMP_TRAP_RECEPTION_PORTefines the port used for receiving SNMP traps. The default port is UDP 162 in Windows and UDP 5162 in Linux.
Note Only the reception of SNMPv1 traps is supported.
SYSLOG_CONF_FILEConfiguration file for syslog data. By default, the file is stored in <installation directory>/data/fields/syslog_templates.
SYSLOG_MESSAGE_PRIORITYThe priority (0–191) of the syslog message is included at the beginning of each UDP packet (the default is 6). See RFC 3164.
SYSLOG_RECEPTION_PORTThe UDP port for receiving syslog. If this parameter has not been defined, the default port (514 for Windows or 5514 for Linux) is used.
Note In Linux, the value of this parameter must always be higher than 1024.
SYSLOG_RECEPTION_TCP_PORTThe TCP port for receiving syslog. If this parameter has not been defined, the UDP default port (514 for Windows and 5514 for Linux) is used.
Note In Linux, the value of this parameter must always be higher than 1024.
SYSLOG_USE_DELIMITERDefines whether to use double quotes (“) in syslog messages to delimit the field values. The default setting ALWAYS_EXCEPT_NULL uses double quotes only for nonempty fields. NEVER does not use delimiters. ALWAYS uses double quotes as delimiters for all empty and nonempty field values.



Keywords: security management center; smc log server; logserverconfiguration.txt; log server configuration; editable parameters

Article Feedback



Thank you for the feedback and comments.