TMWS allows administrators to configure a syslog server and install a syslog forwarding tool to forward access logs and audit logs on the TMWS cloud to your organization's syslog server.
To get audit logs from TMWS, make sure that you have installed the syslog forwarding tool version 184.108.40.20600 or later.
When receiving events, TMWS stores the events in its database and forwards syslog messages to an external syslog server in a structured format, which allows third-party application integration.
The following diagram illustrates the syslog forwarding topology for your organization.
Server address: IP address or FQDN of the syslog server.
Port: Port number of the syslog server.
Protocol: Protocol to be used to transport logs to the syslog server.
In this version, only UDP is supported.
Format: Format in which event logs are sent to the syslog server.
In this version, only CEF is supported.
CEF keys: CEF keys that you want to add in syslog messages.
For details about the Common Event Format (CEF) format and CEF keys, see Content Mapping Between TMWS Log Output and CEF Syslog Formats. The header keys are not configurable and by default they are added in every syslog message. The other key names are case sensitive and should exactly match the name in the CEF KEY or Variable.
If there is one or several on-premises gateways configured for your organization, whether enabled with syslog forwarding or not, this step will apply the settings here to all these gateways and override their existing settings. To change the configurations of a specific on-premises gateway, go to Gateways, click the gateway, and configure it on the Syslog Forwarding screen.
A default registration token is provided. If you generate a new token, make sure to update it in the syslog forwarding tool.