Device Integration: CrushFTP

TABLE OF CONTENTS

• Overview
• Pre-requisites
• Configuration Steps in CrushFTP
• Verification Steps

Overview

This document provides step-by-step guidance to integrate CrushFTP with ADR SIEM using the Syslog forwarding method.
The integration allows centralized log ingestion into ADR’s Collection and Control Engine (CCE) and correlation in the Analytics and Policy Engine (APE), enabling comprehensive visibility, monitoring, and proactive threat detection.

Pre-requisites

• Administrative access to the CrushFTP management console.

• ADR CCE server IP address.

• Network connectivity between CrushFTP and CCE (ensure UDP/514 is allowed).

• Syslog feature enabled on CrushFTP.

Configuration Steps in CrushFTP

1. Login to CrushFTP Admin Console
   Open your CrushFTP management portal with administrator credentials.

2. Navigate to Syslog Settings

   • Go to: Server Preferences → Logging → Syslog.

   • Enable Syslog logging.

3. Configure Syslog Forwarding Parameters

   • Syslog Server IP / Host: Enter your ADR CCE IP address.

   • Protocol: Select UDP.

   • Port: Enter 514 (default syslog port).

   • Facility: Choose local0 (or as per your logging policy).

   • Severity: Recommended: Info or higher (to capture authentication and file transfer logs).

4. Save and Apply Configuration

   • Click Save to activate the syslog forwarding configuration.

   • Restart CrushFTP services if prompted.

Verification Steps

On ADR UI

1. Log in to ADR UI with administrative credentials.

2. Navigate to: System → Logs and Flows Collection Status.

3. Under Source Device IP, confirm that the CrushFTP server’s IP is listed.

4. Check that log events are being ingested in real-time.

On ADR CCE Server

1. SSH into the CCE server.

2. Run the following command to check if logs are received:

   sudo tcpdump -i any port 514 and host  -s0 -AAA

   Replace <CrushFTP_IP> with the actual CrushFTP server IP.

3. You should see syslog packets arriving from the CrushFTP host.