Overview:

This document is intended to provide a reference for the syslog messages that are generated by the /login and /appliance interfaces of the B Series Appliance, as well as any clients that generate syslog messages such as the representative console. It is assumed that the reader is familiar with the syslog concept and functionality. This document lists the different events that are logged by the syslog service that resides on the B Series Appliance and describes what the events mean as well as what triggers them.

Configuration:

To enable syslog messages from the BeyondTrust Appliance B Series, go to /appliance > Security > Appliance Administration and scroll down to the Syslog section.

Open

You can configure your B Series Appliance to send log messages to up to three syslog servers. Enter the hostname or IP address of the syslog host server receiving system messages from this B Series Appliance in the Remote Syslog Server field. Select the message format for the event notification messages. Choose from the standards specification RFC 5424, one of the legacy BSD formats, or Syslog over TLS. Syslog over TLS defaults to using TCP port 6514. All other formats default to using UDP 514. However, the defaults can be changed. BeyondTrust Appliance B Series logs are sent using the local0 facility.

Note: When changing or adding a syslog server, an alert is emailed to the administrator's email address. The administrator's information is configured at Security > Email Configuration > Security :: Admin Contact.

Verification:

1)From GUI: Login on the GUI and go into logs flow collection status to verify the device.

2)From CCE: Also , We can verify from CCE-

Login on CCE as seceon user and run the below command to make sure logs are coming on

the server or not- sudo tcpdump -i any port 514 and host <device_ip>

Ref link:https://www.beyondtrust.com/docs/remote-support/how-to/integrations/syslog/index.htm