Targets define the syslog destinations where EventLogAgent clients forward collected Windows Event Log data. Each target represents a SIEM, log aggregation system, or LT Auditor MP collector. Targets are configured centrally in EventLogCentral and assigned to client groups, meaning all clients in a group forward their events to the same destination.
Accessing the Targets page:
In the left navigation menu, click Targets.
The Targets page displays all configured syslog destinations with their name, server address, port, and protocol.
Adding a new target:
- Click Add Target
- Fill in the target details:
- Name โ a descriptive name for the target (e.g., Production LT Auditor MP, Splunk Cluster)
- Syslog Server โ the hostname or IP address of the destination server
- Port โ the syslog port on the destination server (default: 514)
- Protocol โ select the transport protocol:
| Protocol | Description | Recommended Use |
| UDP | Fast, no delivery acknowledgment โ standard syslog default | Lower security requirement environments |
| TCP | Reliable, with delivery acknowledgment | Production environments โ recommended |
| TLS | Encrypted TCP โ secure transport | Production environments with strict security requirements |
- Click Save Target
TLS configuration:
For TLS targets, additional configuration is required. TLS settings are managed via SenderConfig.json files or through the web interface if configured.
Required TLS configuration on the EventLogCentral server:
| Setting | Description |
| CA Certificate | Certificate Authority certificate used to verify agent certificates |
| Require Mutual TLS | Option to require agents to present a client certificate |
| Client Certificate and Key | Required if mutual TLS is enabled |
| Server Name | Hostname used for certificate validation |
[Your administrator should coordinate with your PKI or security team to obtain the appropriate certificates before configuring TLS targets.]
Common target configurations:
LT Auditor MP (recommended):
| Setting | Value |
| Name | Production LT Auditor MP |
| Server | LT Auditor MP server hostname or IP |
| Port | LT Auditor MP configured syslog port |
| Protocol | TCP or TLS |
Splunk:
| Setting | Value |
| Name | Splunk Production |
| Server | splunk.company.com |
| Port | 514 (UDP) or 6514 (TLS) |
| Protocol | TLS |
QRadar:
| Setting | Value |
| Name | QRadar SIEM |
| Server | qradar.company.com |
| Port | 514 |
| Protocol | TCP |
Testing a target:
Before assigning a target to a group, test connectivity to confirm the destination is reachable:
- Click the โฎ menu next to the target
- Select Test Connection
- Review the test results
If the test fails:
- Confirm the server address and port are correct
- Confirm no firewall is blocking outbound traffic from the EventLogCentral server to the target on the configured port
- Confirm the target syslog server is running and accepting connections
Editing a target:
- Click the โฎ menu next to the target
- Select Edit
- Modify the target settings as needed
- Click Update
Changes to a target take effect immediately for all groups assigned to that target.
Deleting a target:
Ensure no groups are currently using a target before deleting it. Deleting a target that is assigned to a group will stop event forwarding for all clients in that group.
- Click the โฎ menu next to the target
- Select Delete
- Confirm the deletion
Best practices:
- Create a dedicated target for LT Auditor MP and name it clearly so it is easy to identify when assigning to groups
- Use TCP or TLS rather than UDP in production environments for reliable event delivery
- Test connectivity to every new target before assigning it to a group
- Review configured targets periodically to remove any that are no longer in use
- Use TLS for all targets in environments with strict data security requirements
- Document each target’s purpose, server address, port, and protocol so the configuration is auditable
[Your administrator should confirm the LT Auditor MP syslog listener port and protocol before creating the LT Auditor MP target, and ensure the EventLogCentral transformation rule in LT Auditor MP is configured to match.]