Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Device Configuration: BeyondTrust

            Modified on Wed, 22 Apr at 9:53 AM

            Table of Contents


            Overview

            The BeyondTrust B Series Appliance (formerly Bomgar) can generate syslog messages from its /login and /appliance interfaces, as well as from connected clients (e.g., Representative Console).


            Integrating BeyondTrust with ADR enables centralized visibility of authentication events, administrative actions, and appliance activity. These logs can be forwarded from the BeyondTrust appliance to the CCE (Collection and Control Engine) for ingestion, normalization, and security analysis.


            BeyondTrust syslog messages cover a wide range of events, including:

            • Authentication attempts (successful/failed logins).

            • Administrative and system changes.

            • Session and connection events.

            • Appliance health and security notifications.


            Prerequisites

            Before configuring integration, ensure:

            • Administrative access to the BeyondTrust B Series Appliance web interface (/appliance).

            • Network connectivity from BeyondTrust → ADR CCE (UDP 514 by default, or TCP 6514 for TLS).

            • Proper firewall rules allowing syslog traffic.

            • Administrator email configured at:
              Security → Email Configuration → Security → Admin Contact (used for syslog alerts).


            Configuration Steps

            1. Log in to the BeyondTrust B Series Appliance Admin Interface:

            2. Navigate to:
              Security → Appliance Administration → Syslog

            3. Configure syslog forwarding:

              • Remote Syslog Server: Enter the CCE IP/hostname.

              • Number of Servers: You may configure up to three remote syslog servers.

              • Message Format: Select one of the following:

                • RFC 5424 (recommended modern standard).

                • BSD (legacy) formats.

                • Syslog over TLS (secure option, defaults to TCP 6514).

              • Protocol & Ports:

                • Default UDP 514 for standard syslog.

                • Default TCP 6514 for Syslog over TLS (can be changed).

              • Facility: BeyondTrust logs use the local0 facility.

            4. Save and apply changes.

            ⚠️ Note: When you add or change a syslog server configuration, an alert is automatically emailed to the administrator.


            Verification (MSSP Only)

            1. From ADR dashboard

            1. Log in to the ADR console.

            2. Navigate: System → Logs and Flows Collection Status.


            3. Confirm that the BeyondTrust appliance IP appears as a log source.

            2. From CCE (CLI)

            1. SSH into the CCE server.

            2. Run the following command to check if logs are being received:

              sudo tcpdump -i any port 514 and host <BeyondTrust_IP> -s0 -vvv

              Replace <BeyondTrust_IP> with the actual BeyondTrust appliance IP.

            3. Verify that syslog events are captured.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0