We can follow the steps below to send logs from Microsoft Forefront TMG 2010 application to Logsign.
1- Let's open the Forefront TMG 2010 application.
2- Let's open the menu named Logs & Reports. In the section called Configure Logging on the right, we can make our settings for our Firewall and Web Proxy logs.
3- First, let's open the Configure Firewall Logging settings.
4- Let's choose the File option as the area where Forefront TMG 2010 Log files will be saved and Forefront TMG file format as the log format.
5- Next, let's press the Select All button in the Fields menu and let all the fields be recorded in the log.
6- Let's perform the operations we have done for the Firewall logs in the Proxy logs by making the Web Proxy Log settings.
7- If we do not make any changes in the log directory, our Firewall and Web Proxy logs will be saved in the Microsoft Forefront Threat Management Gateway\Logs directory by default.
Note That: Snare Agent Epilog for Windows software must be installed on the server.
8- Epilog for Windows opens, Network Configuration is selected from the left menu. The windows on the right are filled as follows.
- Logsign IP should be written in Desination Snare Server Address.
To save the changes, the Change Configuration button is pressed.
9- After the completion of the network settings for sending, the files and directories to be sent are selected. For this, Log Configuration is opened from the menu on the left. A new window is called by pressing the Add button on the right.
10- Custom Event Log is selected in the window on the right and after the specified folder and file information is entered, the process is completed by pressing the Change Configuration button.
11- We perform this operation for our logs named Firewall and Web Proxy.
After these processes, you'll add the source to view logs from the Forefront TMG device from the Logsign.
Open the Logsign Unified SecOps Platform WEB interface and click on the "+ Device" button under the Data Collection tab, which is then clicked on the Settings tab in the menu bar on the top of the page. In the Source Type Selection page, choose Syslog as the method. After that, Microsoft is selected as Vendor information, then product is defined as TMG and other informations are added.