BluSapphire
Search…
Log Forwarding - How To
This page contains instructions on how to forward logs from various log sources to BluSapphire. There may be minor differences on the data collected on various sources. Beware.

Fortinet

Forward Fortinet firewall logs to the log collector using GUI
Follow the steps below to configure the FortiGate firewall:
  1. 1.
    Log in to the FortiGate web interface
  2. 2.
    Select Log & Report > Log Setting or Log & Report > Log Config > Log Setting (depending on the version of FortiGate)
  3. 3.
    To export logs in the syslog format (or export logs to a different configured port):
  • Select the Log to Remote Host option or Syslog checkbox (depending on the version of FortiGate) Syslog format is preferred over WELF, in order to support vdom in Fortigate firewalls.
  • Enter the IP address and port of the “Log Collector”
  • In the Port field, enter the port the server uses for syslog messages. Please check Appendix A for default port list.
  • Select the logging level as Information or select the Log All Events checkbox (depending on the version of FortiGate)
  • Select the facility as local7
  1. 1.
    Click Apply
CAUTION: Do not select CSV format for exporting the logs.

Configuring RuleSets for Logging Traffic

Follow the steps below to configure rulesets for logging all traffic from or to the FortiGate firewall:
  1. 1.
    Select Firewall > Policy
  2. 2.
    Choose a rule for which you want to log traffic and click Edit. You can configure any traffic to be logged separately if it is acted upon by a specific rule.
  3. 3.
    Select the Log Traffic checkbox
  4. 4.
    Click OK and then click Apply
Repeat the above steps for all rules for which you want to log traffic.
If “Log Collector” is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt.
(For the models like Fortigate 60, Fortigate 200, etc.) Please follow the steps to enable the device to send the logs to “Log Collector”.
  • Start CLI on the Fortigate firewall.
  • Execute the following commands to enable Syslog:

Enable syslog:

config log syslogd2 setting set status enable set server <IP> set csv disable set facility local7 set port 1514 set reliable disable end <cr>
Execute the following commands to enable Traffic:

Enable traffic:

config log syslogd filter<cr> set severity information<cr> set traffic enable<cr> set web enable<cr> set email enable<cr> set attack enable<cr> set im enable<cr> set virus enable<cr> end <cr>
Note: Type "show log syslogd filter" to list all available traffic.
Note: In Fortigate OS v5.0, there is an option to send syslog using TCP.
Note: If BluSapphire “Log Collector“ is not getting logs from Fortigate, please check Fortigate OS version. If it is v5.0 or above, ensure option 'reliable' is disabled in syslog config. Then it will use UDP.
Syslog setting can only be done through CLI mode. There is no option in UI.

FORTIMANAGER

The FortiManager family delivers the versatility you need to effectively manage your Fortinet- based security infrastructure.

TO FORWARD FORTIMANAGER 4.3.X LOGS

Log in to FortiManager 4.3.x using CLI:
config fmsystem locallog syslogd setting
set server <IP address> ##Address of Log Collector
set severity <emergency | alert | critical | error | warning | notification | information | debug> ##Least severity level to log
set status <enable | disable>
set facility <facility> ##Which facility for remote syslog.
set port <port> ##Port that server listens at
end

TO FORWARD FORTIMANAGER 5.0.X UP TO 5.0.6 LOGS

Log in to FortiManager 5.0.x up to 5.0.6 using CLI:
config system locallog syslogd setting
set server <IP address> ##Address of Log Collector
set severity <emergency | alert | critical | error | warning | notification | information | debug> ##Least severity level to log
set status <enable | disable>
set facility <facility> ##Which facility for remote syslog.
set port <port> ##Port that server listens at.
End

TO FORWARD FORTIMANAGER 5.0.7 AND ABOVE VERSION LOGS

Log in to FortiManager 5.0.7 using web interface:
1. Go to System Settings > Advanced > Syslog Server
Fortimanager Syslog GUI
The Syslog server can also be defined using CLI:
config system syslog
edit <server name>
set ip <Log Collector-IP>
end

Enable sending FortiManager local logs

This can only be configured using CLI:
config system locallog syslogd setting
set syslog-name <Remote syslog server name,defined at previous step>
set severity <emergency | alert | critical | error | warning | notification | information | debug> ##Least severity level to log
set status <enable | disable>
set facility <facility> ##Which facility for remote syslog.
set port <port> ##Port that server listens at (514)
end

Cisco ASA

Cisco ASA using Command Line Interface
  1. 1.
    Telnet to the ASA firewall and enter the enable mode
  2. 2.
    Type the following:
configure terminal logging enable logging timestamp logging trap informational logging device-id {context-name | hostname | ipaddress interface_name | string text} logging host interface_name syslog_ip [udp/<syslog_port>]
interface_name
is the interface on the ASA Firewall whose logs need to be analyzed (for example: "inside" or "outside").
syslog_ip
is the IP address of the Log Collector to which the Firewall should send the Syslogs.
udp/<syslog_port>
indicates that logs will be sent using the UDP protocol, to the configured syslog port on the syslog server. If left blank, logs will be sent to the default UDP port 514. Check Appendix A for default port list.
hostname
firewall's host name (defined with the hostname configuration command)
ipaddress interface_name
the IP address of a specific firewall interface named interface_name (for example: "inside" or "outside")
string text
an arbitrary text string (up to 16 characters)
context-name
in PIX 7.x or FWSM 2.x operating in multiple-context mode, the name of the firewall context can also be sent.

Cisco ASA with FirePOWER services

Creating a Syslog Alert Response
  1. 1.
     Choose ASA Firepower Configuration > Policies > Actions > Alerts.
  2. 2.
     From the Create Alert drop-down menu, choose Create Syslog Alert.
  3. 3.
     Enter a Name for the alert.
  4. 4.
     In the Host field, enter the hostname or IP address of “Log Collector”.
  5. 5.
     In the Port field, enter the port the server uses for syslog messages. Please check Appendix A for default port list.
  6. 6.
     From the Facility list, choose a facility LOCAL7.
  7. 7.
     From the Severity list, choose a severity INFO.
  8. 8.
     Click Save.
Graphical user interface, website Description automatically generated
Configuration for sending the Traffic Events
  1. 1.
    Navigate to ASA Firepower Configuration > Policies > Access Control Policy
  2. 2.
    Edit the access rule and navigate to logging option.
  3. 3.
    Select log at Beginning and End of Connection options.
  4. 4.
    Navigate to Send Connection Events to option , select Syslog, and then select a Syslog alert response.
  5. 5.
    Click Save.
Graphical user interface, text, application Description automatically generated

Cisco VPN 3000 Concentrator

Follow the below steps to configure the VPN Concentrator:
  1. 1.
    Configuring Syslog Server
  2. 2.
    Login to the Cisco VPN 3000 Concentrator Management console.
  3. 3.
    Go to Configuration > System> Events >Syslog Servers
  4. 4.
    Click the Add button
  5. 5.
    In the Syslog Server text box enter the IP Address of the machine Log Collector is running.
  6. 6.
    Enter the Port value. Check Appendix A for default port.
  7. 7.
    Facility is Local 7
  8. 8.
  9. 9.
    Configuring Syslog Events
  10. 10.
    Go to Configuration > System> Events >General
  11. 11.
    For Syslog Format you can either select Original or Cisco IOS Compatible format.
  12. 12.
    For Events to Syslog select Severities 1-5
  13. 13.
    All other configurations are default for this page.
  14. 14.
    Click Apply button
For more information, refer the Cisco VPN Concentrator documentation.

Cisco IOS Switch

Follow the below steps to configure the Cisco IOS Switch:
  1. 1.
    Login to the Cisco IOS console or Telnet to the device.
  2. 2.
    Change the configuration mode of the device.
Use the following command:
configure terminal
  1. 1.
    Enable logging by using the following commands:
logging on
logging trap informational
logging <IP Address of Log Collector>
  1. 1.
    If there is a Firewall module in the IOS device, use the following command to enable audit trail. This will generate traffic information.
ip inspect audit-trail
For more information, refer the Cisco IOS Switch documentation.

Cisco ASA using ASDM

  • Load the ASDM.
  • Select Configuration > Device Management > Logging > Logging Setup.
Graphical user interface, text, application, email Description automatically generated
  • Select Enable Logging.
  • Select Logging > Logging Filters.
  • Choose the syslog-servers as Informational.
  • Select Logging > Syslog servers.
  • Click Add.
Graphical user interface, application Description automatically generated
  • Enter the IP address of Log Collector and choose the appropriate interface. Also, ensure that you choose UDP and enter the port number 514 or 1514. Check Appendix A for default log ports.
  • Select Logging > Syslog Setup.
  • Select Include time stamp in syslogs option and scroll down to ensure the syslog IDs 302013, 302014, 302015 & 302016 are in enabled state and the logging level is set to Informational.

Disable Logging

You can disable specific syslog IDs based on your requirement. 
Note:
By selecting the check mark for the Include timestamp in syslogs option, you can add the date and time that they were generated as a field to the syslogs.
  •  Select the syslogs to disable and click Edit.
  • From the Edit Syslog ID Settings window, select the Disable messages option and click OK.
  • The disabled syslogs can be viewed in a separate tab by selecting Disabled syslog IDs from the Syslog ID Setup drop-down menu.

CISCO ROUTER

To configure Cisco Router to send syslog messages
Enter the command:
enable
To enter privileged EXEC mode.
Enter the command:
configure terminal
This will allow you to enter global configuration mode.
Enter the command:
logging host
Replace host with Log Collector IP Address.
Enter the command:
logging trap level
Specify the level as per requirement.
Where:
Emergency: 0
Alert: 1
Critical: 2
Error: 3
Warning: 4
Notice: 5
Informational: 6
Debug: 7
Enter the command:
logging facility local7
Default facility-type value is local7.
Enter the command:
end
To save changes and exit global configuration mode.
To display changes made enter command:
show logging
This displays logging configuration. Verify configuration.

CISCO SOURCEFIRE

To Forward Cisco Sourcefire Ids Intrusion Alerts
Log in to the SourceFire IDS using web interface.
Go to Policies > Intrusion > Intrusion Policy.
Locate the policy you want to apply and select Edit.
Click Advanced Settings.
In the list, locate Syslog Alerting and set it to Enabled.
In the Logging Hosts field, type the IP address of Log Collector.
Choose an appropriate Facility and Severity from the listbox.
Near the top-left of the page, click Policy Information.
Click Commit Changes.

CISCO IRONPORT

To configure IronPort device to send syslog events, please follow the following steps:
  • Log in to Cisco IronPort user interface.
  • Select System Administration \ Log Subscriptions.
  • Click Add Log Subscription.
  • Configure the following values:
  • Log Type - Define a log subscription for both Ironport Text Mail Logs and System Logs.
  • Log Name - Type a log name.
  • File Name - Use the default configuration value.
  • Maximum File Size - Use the default configuration value.
  • Log Level - Select Information (Default).
  • Retrieval Method - Select Syslog Push.
  • Hostname - Type the IP address of Log Collector.
  • Protocol - Select UDP.
  • Facility - Use the default configuration value. This value depends on the configured Log Type.
  • Save the subscription.

CISCO NEXUS SWITCH

To forward Cisco Nexus Switch logs, make the following configuration
Type the following command to switch to configuration mode:
config t
Type the following commands:
logging server <IP ADDRESS OF LOG COLLECTOR> <SEVERITY>
Type the following to configure the interface for sending syslog events:
logging source-interface loopback
Type the following command to save your current configuration as the start-up configuration:
copy running-config startup-config

CISCO VPN CONCENTRATOR

To configure Cisco VPN concentrator and send syslog messages
Log in to the VPN concentrator using web interface.
Go to Configuration > System > Events > Syslog Servers
Select Add
Enter the IP address of the “Local Collector” and choose facility level from the facility drop down menu.
Next, return to the Syslog Server page by clicking Add again.
Cisco VPN Syslog GUI

CONFIGURE EVENTS

Go to Configuration > Events > System > General.
Select the event options based on the severity to the syslog drop down menus and click Apply.
Cisco VPN configure event handling
To save changes click on the Save button.

NetScreen Firewall

Enable Syslog Messages and Disable WebTrends Messages using the NetScreen Administration Tools Console 
  1. 1.
    Log in to the NetScreen GUI.
  2. 2.
    Click Configuration> Report Settings> Syslog in the left pane of the NetScreen GUI.
  3. 3.
    Select the Enable Syslog Messages check box.
  4. 4.
    Select the Trust Interface as Source IP for VPN and Include Traffic Log check box.
  5. 5.
    Type the IP address of the “Log Collector” and syslog port (514) in the Syslog Host Name / Port text box.
  6. 6.
    All other fields will have default values.
  7. 7.
    Click Apply to save the changes.
  8. 8.
    Click Configuration> Report Settings> WebTrends in the left pane of the NetScreen GUI
  9. 9.
    Clear the Enable WebTrends Messages check box.
  10. 10.
    Click Apply to save the changes.
To configure Syslog, perform the following steps:
  1. 1.
    Open the WebUI.
  2. 2.
    From the ScreenOS console menu, click Configuration, select Report Settings, and then click Syslog.
A picture containing graphical user interface, application Description automatically generated
  1. 1.
    From the Syslog page, click to select Enable Syslog Messages.
Note:
From the 'Source interface' drop-down menu, select the interface from which syslog packets are sent.
Graphical user interface, text, application Description automatically generated
  1. 1.
    Enter the necessary information for each syslog server you are adding. Syslog messages can be sent to up to 4 designated syslog servers. 
  • Enable: Select this option to enable the syslog server.
  • IP/ Hostname: The IP address of the “Log Collector”..
  • Port: In the Port field, enter the port the server uses for syslog messages. Please check Appendix A for default port list.
  • Security Facility: The security facility, which classifies and sends security specific messages to the syslog host.
  • Facility: The regular facility, which classifies and sends all other messages for events unrelated to security.
  • Event Log: Select this option to send event log entries to the syslog host.
  • Traffic Log: Select this option to send traffic log entries to the syslog host.
For this example, 192.168.1.2 has been used as the Syslog Host Name. It is recommended to leave the Syslog port as the default value (514):
  1. 1.
    Click APPLY to save the syslog configuration. 
Table Description automatically generated
Caution:
Uncheck the TCP option. This will make the firewall to send syslogs in the configured UDP port.

Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:

Execute the following commands to configure syslog via CLI: 
set syslog config 192.168.1.2 set syslog config 192.168.1.2 facilities local0 local0 set syslog config 192.168.1.2 log traffic set syslog src-interface <<interface name>> set syslog enable
NOTE: The difference between “security facility” and “facility” is that “security facility” is specific for logging of security related events. Facility logs all other events.

Palo Alto Firewalls

Configure Syslog Monitoring

To use Syslog to monitor a Palo Alto Networks device, create a Syslog server profile and assign it to the device log settings for each log type. 
A picture containing timeline Description automatically generated

Configure a Syslog server profile

You can use separate profiles to send syslogs for each log type to a different server. To increase availability, define multiple servers (up to four) in a single profile.
Graphical user interface, application Description automatically generated
  • Select Device > Server Profiles > Syslog
  • Click Add and enter a Name for the profile
  • If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available.
  • For each syslog server, click Add and enter the information that the firewall requires to connect to it:
  • Name —Unique name for the server profile.
  • Server —IP address or fully qualified domain name (FQDN) of the syslog server.
  • Transport —Select TCP, UDP, or SSL as the method of communication with the syslog server.
  • Port —The port number on which to send syslog messages (default is UDP on port 1514); you must use the same port number on the firewall and the syslog server.
  • Format —Select the syslog message format to use: BSD (the default) or IETF. Traditionally, BSD format is over UDP and IETF format is over TCP or SSL.
  • Facility —Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages.
  • (Optional) To customize the format of the syslog messages that the firewall sends, select the Custom Log Format tab. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide.
  • Click OK to save the server profile.
Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs

Create a log forwarding profile 

Graphical user interface, table Description automatically generated
  • Select Objects > Log Forwarding, click Add, and enter a Name to identify the profile.
  • For each log type and each severity level or WildFire verdict, select the Syslog server profile and click OK.
  • Assign the log forwarding profile to security rules.
A screenshot of a video game Description automatically generated

 Configure security policy rule action as log forwarding

  • Select Policies > Security
  • Click the policy in which you want to configure log forwarding
  • Select Actions
  • Select the profile to which the logs to be forwarded in Log Forwarding dropdown list.
  • Click OK 
Graphical user interface, website Description automatically generated
Graphical user interface Description automatically generated

 Configure syslog forwarding for System, Config, HIP Match, and Correlation logs

  • Select Device > Log Settings.
  • For System and Correlation logs, click each Severity level, select the Syslog server profile, and click OK.
  • For Config, HIP Match, and Correlation logs, click the Edit icon, select the Syslog server profile, and click OK.
Graphical user interface Description automatically generated
 Commit your changes and review the logs on the syslog server
  • Click Commit
To review the logs, refer to the documentation of your syslog management software. You can also review the Syslog Field Descriptions.
Graphical user interface Description automatically generated

Juniper

Configuring to send Syslog Messages from SRX device

 Using J-Web

  1. 1.
    Log in to the Juniper SRX device.
  2. 2.
    Click Configure > CLI Tools > Point and Click CLI in the Juniper SRX device.
  3. 3.
    Expand System and click Syslog.
  4. 4.
    In the Syslog page, click Add New Entry placed next to 'Host'.
  5. 5.
    Enter the IP address of the “Log Collector”
  6. 6.
    Click Apply to save the configuration.

Using CLI

  1. 1.
    Log in to the Juniper SRX device CLI console.
  2. 2.
    Execute the following command:
[email protected]#  set system syslog host <IP address of the Log Collector> any any
Graphical user interface, text, application, email Description automatically generated
To enable logging for Security policy:

Using J-Web

  • Select Configure > Security > Policy > FW Policies.
  • Click on the policy for which you would like to enable logging.
  • Navigate to Logging/Count and in Log Options, select Log at Session Close Time.

Using CLI

  1. 1.
    Log in to the Juniper SRX device CLI console.
  2. 2.
    Execute the following command:
[email protected]# set security policies from-zone trust to-zone untrust policy permit-all then log session-close
Graphical user interface, text, application, email Description automatically generated
Juniper Networks IDP Device (version IDP 50)

 Configuring to send Syslog Messages directly from Sensor

  1. 1.
    Log in to the Juniper Networks IDP device.
  2. 2.
    Click Device > Report Settings > Enable Syslog in the Juniper Networks IDP device.
  3. 3.
    Select the Enable Syslog Messages check box.
  4. 4.
    Click Apply to save the changes.
This configuration will generate syslogs for:
  • All attacks
  • Policy load
  • Restart
This configuration will not provide:
  • Profiler logs
  • Device connect/disconnect logs
  • Interface UP/DOWN logs
  • Logs for Bypass State Changes 

Sonicwall

Configuring SonicWALL To Direct Log Streams 

  1. 1.
    Log in to the SonicWALL appliance
  2. 2.
    Click Log on the left side of the browser window
  3. 3.
    Select the Log Settings tab
  4. 4.
    Type the IP address of the “Log Collector” server in the Syslog Server text box
  5. 5.
    Click Update at the bottom of the browser window

Configuring SonicWALL Logging Level

  1. 1.
    Log in to the SonicWALL appliance
  2. 2.
    Click Log on the left side of the browser window
  3. 3.
    Select the View tab
  4. 4.
    Select the Logging Level as Informational from the combo box
  5. 5.
    Click Update at the bottom of the browser window
Whenever you create an access rule in the SonicWALL Firewall, ensure that 'Enable Logging' check box is selected for the particular rule.
Restart the SonicWALL appliance for the changes to take effect. 

Checkpoint

Log Exporter - Check Point Log Export
Log Collector supports Log Exporter for R77.30, R80.10, R80.20 and later versions.
Installation

R80.20

Log Exporter is already integrated in version R80.20. There is no need to install dedicated package.
Note:​
  1. 1.
    In order to preserve the Log Exporter configuration before upgrading to R80.20, please follow sk127653 - How to backup and restore Log Exporter configuration on upgrade to R80.20
  2. 2.
    In order to support exporting logs in CEF format, please install R80.20 Jumbo Hotfix Take 5 and above.

R80.10

Install this release on a R80.10 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.
Note:​
  1. 1.
    Log Exporter can be installed on top of R80.10 Jumbo Hotfix Take 56 and above.
  2. 2.
    This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place.
  3. 3.
    Take care to install the latest Log Exporter take available for download below, in order to avoid a conflict with the Jumbo HF.

R77.30

Install this release on a R77.30 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.
Note:​
Log Exporter can be installed on top of R77.30 Jumbo Hotfix Take 292 and above.
**This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place.
Version
Date
CPUSE Online Identifier
CPUSE offline package
R80.10
20 January 2019
Check_Point_R80.10_Log_Exporter_T43_sk122323_FULL.tgz
(TGZ)
R77.30
06 November 2018
Check_Point_R77.30_Log_Exporter_T30_sk122323_FULL.tgz
(TGZ)
Install the hotfix using CPUSE, see sk92449.
Configure Log Exporter to forward Syslogs using CLI
After applying the hot fix, the firewall will restart automatically, you have to restart the Check Point firewall, once again.
  1. 1.
    Telnet/SSH the Check Point firewall and enter the below command.
cp_log_export add name <name> target-server <Log Collector IP Address> target-port 1514 protocol udp format cef
  1. 1.
    The new log exporter does not start automatically. To start it run:
cp_log_export restart name <name>

Blue Coat Proxy Logs

TO FORWARD BLUE COAT LOGS USING WEB INTERFACE

  1. 1.
    Log in to the GUI on Blue Coat appliance.
  2. 2.
    Select Configuration > Access Logging > Logs > Upload Client.
  3. 3.
    From the Log list, select the log that contains your custom format.
  4. 4.
    From the Client type list, select Custom Client.
  5. 5.
    Click Settings.
  6. 6.
    From the Settings For list, select Primary Custom Server.
  7. 7.
    In the Host field, type the IP address of your Log Collector.
  8. 8.
    In the Port field, type <port number> (Check Appendix A for default port list).
  9. 9.
    Click OK.
  10. 10.
    Select the Upload Schedule tab.
  11. 11.
    From the Upload the access log list, select Continuously.
  12. 12.
    Click Apply.

TO FORWARD BLUE COAT PROXY LOGS USING CLI

  1. 1.
    At the root configure mode, Enter the command
syslog view
To view the default configuration.
  1. 1.
    To change the facility, enter the command
syslog facility <facility>
  1. 1.
    where facility is the category which should be sent to Log Collector.
  2. 2.
    To start logging to the specified facility, enter the command
syslog add <Log Collector IP Address>
  1. 1.
    To verify that the host and facility are correct, enter the command
syslog view
  1. 1.
    Confirm the changes.

Tipping Point

To forward Tipping Point IPS logs to the Log Collector, the required steps are as follows:
  • Log in to the Tipping Point system using GUI.
  • On the Admin Navigation menu, select Server Properties.
  • Select the Management tab.
  • Click Add.
  • The Edit Syslog Notification window is displayed.
  • Select the Enable check box.
  • Configure the following values:
  • Syslog Server - Type the IP address of the Log Collector
  • Port - Type 514 as the port address. Check Appendix A for default port list.
  • Log Type - Select SMS 2.0 / 2.1 Syslog format from the list.
  • Facility - Select Log Audit from the list.
  • Severity - Select Severity in Event from the list.
  • Delimiter - Select TAB as the delimiter for the generated logs.
  • Include Timestamp in Header - Select Use original event timestamp.
  • Select the Include SMS Hostname in Header check box.
  • Click OK.

FireEye

To Forward Fireeye Logs
  1. 1.
    Log in to the FireEye appliance by using the CLI.
  2. 2.
    To activate configuration mode, type the following commands:
enable
configure terminal
  1. 1.
    To enable rsyslog notifications, type the following command:
fenotify rsyslog enable
  1. 1.
    To add BluSapphire Log Collector as a rsyslog notification consumer, type the following command:
fenotify rsyslog trap-sink blus
  1. 1.
    To specify the IP address for the “Log Collector” system that you want to receive rsyslog trap-sink notifications, type the following command:
fenotify rsyslog trap-sink blus address <Log Collector_IP_address>
  1. 1.
    To define the rsyslog event format, type the following command:
fenotify rsyslog trap-sink blus prefer message format cef
  1. 1.
    To save the configuration changes to the FireEye appliance, type the following command:
write memory

To Forward Fireeye NX Alert Logs

  1. 1.
    Log in to the FireEye NX using web interface.
  2. 2.
    Go to Settings > Notifications
  3. 3.
    Tick rsyslog to enable a Syslog notification configuration.
  4. 4.
    Enter a name to label your FireEye connection to the “Log Collector” in the Name field.
  5. 5.
    Click the Add Rsyslog Server button.
  6. 6.
    Enter the <Log Collector IP Address> in the IP Address field.
  7. 7.
    Tick the Enabled check box.
  8. 8.
    Select Per event in the Delivery drop-down list.
  9. 9.
    Select All Events from the Notifications drop-down list.
  10. 10.
    Select CEF as the Format drop-down list. Other formats are not supported.
  11. 11.
    Leave the Account field empty.
  12. 12.
    Select UDP from the Protocol drop-down list.
  13. 13.
    Click the Update button.

UBUNTU

To forward Audit logs

Install syslog package, if you haven’t installed it by executing the below command:
apt-get install rsyslog
Open the rsyslog.conf file located at /etc/rsyslog.conf by following command: 
vim /etc/rsyslog.conf
At the end of the file check for the following line and uncomment:
$IncludeConfig /etc/rsyslog.d/*.conf
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
Save and Quit the configuration file.
Open a auditd.conf file located at /etc/audit/auditd.conf by following command.
$ vim /etc/audit/auditd.conf
log_group = syslog
Save & Quit the configuration file.
Restart auditd service to reflect the changes.
$ /etc/init.d/auditd restart
Create log configuration for Audit logs with vim /etc/rsyslog.d/auditlog.conf and paste following lines below
$ModLoad imfile
# auditd audit.log
$InputFileName /var/log/audit/audit.log ##path of log file
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.* @<LogCollector-IP>:514
Save and Quit the configuration file.
Restart rsyslog service
service rsyslog restart
CENTOS-RHEL
To forward Audit logs
Install syslog package, if you haven’t installed it
yum -y install rsyslog
Checking the rsyslog.conf
Open a rsyslog.conf file located at /etc/rsyslog.conf by following command
vim /etc/rsyslog.conf
At the end of the file check for the following line and uncomment
$IncludeConfig /etc/rsyslog.d/*.conf
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
Save and Quit the configuration file.
Create log configuration for Audit logs with vim /etc/rsyslog.d/auditlog.conf and paste following lines below
$ModLoad Imfile
# auditd audit.log
$InputFileName /var/log/audit/audit.log ##path of log file
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1
local6.* @<Log Collector IP>:514
Save and Quit the configuration file.
Restart rsyslog service
service rsyslog restart

CITRIX ACCESS GATEWAY

Log in to your Citrix Access Gateway web interface
Click the Access Gateway Clustertab
Select Logging/Settings
In the Server field, type the IP address of Log Collector.
From the Facility list, select a syslog facility level.
In the Broadcast interval (mins), type 0 to continuously forward syslog events.
Click Submit to save changes.

SYMANTEC AV

To forward Symantec AV logs, make the following configuration:
Log in to Symantec AV using web interface
In the Console, click Admin.
Click Servers.
Click the local site or remote site that you want to export log data from.
Click Configure External Logging.
On the General tab, in the Update Frequency List box, select how often to send the log data.
In the Master Logging Server list box, select the management server to send the logs to.
If you use SQL Server and connect multiple management servers to the database, specify only one server as the Master Logging Server.
Check Enable Transmission of Logs to a Syslog Server.
Provide the following information:
Syslog Server
Type the IP Address of the “Log Collector”.
Destination Port
Select the protocol to use, and type the destination port that the Syslog server uses to listen for Syslog messages.
Log Facility
Type the number of the log facility that you want to use, or use the default 7
On the Log Filter tab, check which logs to export.
Click OK.

DarkTrace

Configuring DarkTrace IDS Syslog

To configure Darktrace to send Syslog to the BluSapphire Log Collector, you must be a Darktrace administrator with access to the user interface.
1. Log in to the Darktrace interface.
2. Expand the top left menu and select Admin, a second menu appears.
3. Select the System Config page.
4. In the “Alerting” section, click the Verify Alert Settings button.
5. In “JSON Syslog Alerts,” set the field to True.
6. Set the JSON Syslog server to the IP address of the “Log Collector”.
7. Set the JSON Syslog server port <port>. Check Appendix A for default port.
8. Set “JSON Syslog TCP Alerts” to True.
Could not load image

Nutanix

  1. 1.
    Connect to a Controller VM (CVM) in the cluster using SSH.
  2. 2.
    Enter the ncli command to log into the ncli prompt
    <ncli>
    Note: "<ncli>" is the ncli prompt.
  3. 3.
    The remote syslog server is enabled by default, disable it while you configure the settings.
    <ncli> rsyslog-config set-status enable=false
  4. 4.
    Add a rsyslog server using the command which adds it to the cluster.
    <ncli> rsyslog-config add-server name=<remote_server_name> ip-address=<remote_server_address> port=<rsyslog port> network-protocol=udp relp-enabled=false
  5. 5.
    Choose a module to forward log information from and specify the level of information to collect.
    <ncli> rsyslog-config add-module server-name=<remote_server_name> module-name=<module_name> level=<log_level>
    Replace <module_name> with one of the following:
    a. ACROPOLIS
    b. AUDIT
    c. CASSANDRA
    d. CEREBRO
    e. CURATOR
    f. GENESIS
    g. PRISM
    h. STARGATE
    i. SYSLOG_MODULE
    j. ZOOKEEPER
Enable module logs at the ERROR level unless you require more information, replace <log_level> with one of the following:
a. EMERGENCY
b. ALERT
c. CRITICAL
d. ERROR
e. WARNING
f. NOTICE
g. INFO
h. DEBUG
6. For e.g.: Once you configure level 6 (it's info), it also covers level 0,1,2,3,4,5 + level 6. For e.g. if you select "INFO" for a module, you don't have to select ALERT for the same module.
7. Enable the rsyslog server.
<ncli> rsyslog-config set-status enable=true
8. Logs should start forwarding to the remote syslog server.
9. Show the current rsyslog server setting and modules added.
<ncli> rsyslog-config ls <ncli> rsyslog-config ls-modules server-name=<rsyslog_name>

SAP

SAP stores logs in binary format by default. A schedule task to dump logs in CSV format has to be created in SAP.
  1. 1.
    Save SAP logs on particular folder (eg: /opt/g14/saplogs/) on the system/server in csv format.
  2. 2.
    Schedule an activity in SAP to generate the audit logs in required intervals (eg: hourly).
  3. 3.
    Download and install filebeat latest version by using below link.
    https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html
  4. 4.
    Before starting Filebeat Edit filebeat.yml file
    File path: C:\Program Files\filebeat\filebeat.yml
  5. 5.
    In Filebeat input session, can modify input enabled field False to true
5. Place your log folder path(step-2) under paths field.
6. Under Elastic search output session, put # to all lines.
7. Under Logstash output session, remove comments (#) and place IP and Port.
8. Modify localhost to Log collector IP and modify port number (provided by blusapphire).
9. After configuration is completed then Start the Filebeat service on PowerShell
1
PS C:\Program Files\filebeat> Start-Service filebeat
Copied!