Log Forwarding - How To - BluSapphire

Search…

Log Forwarding - How To

This page contains instructions on how to forward logs from various log sources to BluSapphire. There may be minor differences on the data collected on various sources. Beware.

Fortinet 
Forward Fortinet firewall logs to the log collector using GUI 
Follow the steps below to configure the FortiGate firewall: 
1.Log in to the FortiGate web interface 
2.Select Log & Report > Log Setting or Log & Report > Log Config > Log Setting (depending on the version of FortiGate) 
3.To export logs in the syslog format (or export logs to a different configured port):  
Select the Log to Remote Host option or Syslog checkbox (depending on the version of FortiGate) Syslog format is preferred over WELF, in order to support vdom in Fortigate firewalls. 
Enter the IP address and port of the “Log Collector” 
In the Port field, enter the port the server uses for syslog messages. Please check Appendix A for default port list. 
Select the logging level as Information or select the Log All Events checkbox (depending on the version of FortiGate) 
Select the facility as local7 
1.Click Apply 
CAUTION: Do not select CSV format for exporting the logs.  
Configuring RuleSets for Logging Traffic 
Follow the steps below to configure rulesets for logging all traffic from or to the FortiGate firewall: 
1.Select Firewall > Policy 
2.Choose a rule for which you want to log traffic and click Edit. You can configure any traffic to be logged separately if it is acted upon by a specific rule. 
3.Select the Log Traffic checkbox 
4.Click OK and then click Apply 
Repeat the above steps for all rules for which you want to log traffic. 
If “Log Collector” is unable to receive the logs from the Fortigate after configuring from UI, please carryout the steps to configure it through command prompt. 
(For the models like Fortigate 60, Fortigate 200, etc.) 
Please follow the steps to enable the device to send the logs to “Log Collector”. 
Start CLI on the Fortigate firewall. 
Execute the following commands to enable Syslog: 
Enable syslog: 
 
config log syslogd2 setting 
set status enable 
set server <IP> 
set csv disable 
set facility local7 
set port 1514 
set reliable disable 
end <cr>  
Execute the following commands to enable Traffic: 
Enable traffic: 
 
config log syslogd filter<cr> 
set severity information<cr> 
set traffic enable<cr> 
set web enable<cr> 
set email enable<cr> 
set attack enable<cr> 
set im enable<cr> 
set virus enable<cr> 
end <cr>  
Note: Type "show log syslogd filter" to list all available traffic. 
Note: In Fortigate OS v5.0, there is an option to send syslog using TCP.  
Note: If BluSapphire “Log Collector“ is not getting logs from Fortigate, please check Fortigate OS version. If it is v5.0 or above, ensure option 'reliable' is disabled in syslog config. Then it will use UDP. 
 
Syslog setting can only be done through CLI mode. There is no option in UI. 
FORTIMANAGER 
The FortiManager family delivers the versatility you need to effectively manage your Fortinet- based security infrastructure. 
TO FORWARD FORTIMANAGER 4.3.X LOGS 
Log in to FortiManager 4.3.x using CLI: 
config fmsystem locallog syslogd setting 
set server <IP address> ##Address of Log Collector 
set severity <emergency | alert | critical | error | warning | notification | information | debug> ##Least severity level to log 
set status <enable | disable> 
set facility <facility> ##Which facility for remote syslog. 
set port <port> ##Port that server listens at 
end 
TO FORWARD FORTIMANAGER 5.0.X UP TO 5.0.6 LOGS 
Log in to FortiManager 5.0.x up to 5.0.6 using CLI: 
config system locallog syslogd setting 
set server <IP address> ##Address of Log Collector 
set severity <emergency | alert | critical | error | warning | notification | information | debug> ##Least severity level to log 
set status <enable | disable> 
set facility <facility> ##Which facility for remote syslog. 
set port <port> ##Port that server listens at. 
End 
TO FORWARD FORTIMANAGER 5.0.7 AND ABOVE VERSION LOGS  
Log in to FortiManager 5.0.7 using web interface: 
1. Go to System Settings > Advanced > Syslog Server 
Fortimanager Syslog GUI
The Syslog server can also be defined using CLI: 
config system syslog 
edit <server name> 
set ip <Log Collector-IP> 
end 
Enable sending FortiManager local logs 
This can only be configured using CLI: 
config system locallog syslogd setting 
set syslog-name <Remote syslog server name,defined at previous step> 
set severity <emergency | alert | critical | error | warning | notification | information | debug> ##Least severity level to log 
set status <enable | disable> 
set facility <facility> ##Which facility for remote syslog. 
set port <port> ##Port that server listens at (514) 
end 
Cisco ASA 
Cisco ASA using Command Line Interface 
1.Telnet to the ASA firewall and enter the enable mode 
2.Type the following: 
configure terminal 
 
logging enable 
 
logging timestamp 
 
logging trap informational 
 
logging device-id {context-name | hostname | ipaddress interface_name | string text} 
 
logging host interface_name syslog_ip [udp/<syslog_port>] 
interface_name 
is the interface on the ASA Firewall whose logs need to be analyzed (for example: "inside" or "outside"). 
syslog_ip 
is the IP address of the Log Collector to which the Firewall should send the Syslogs. 
udp/<syslog_port> 
indicates that logs will be sent using the UDP protocol, to the configured syslog port on the syslog server. If left blank, logs will be sent to the default UDP port 514. Check Appendix A for default port list. 
hostname 
firewall's host name (defined with the hostname configuration command) 
ipaddress interface_name 
the IP address of a specific firewall interface named interface_name (for example: "inside" or "outside") 
string text 
an arbitrary text string (up to 16 characters) 
context-name 
in PIX 7.x or FWSM 2.x operating in multiple-context mode, the name of the firewall context can also be sent. 
Cisco ASA with FirePOWER services 
Creating a Syslog Alert Response 
1. Choose ASA Firepower Configuration > Policies > Actions > Alerts. 
2. From the Create Alert drop-down menu, choose Create Syslog Alert. 
3. Enter a Name for the alert. 
4. In the Host field, enter the hostname or IP address of “Log Collector”. 
5. In the Port field, enter the port the server uses for syslog messages. Please check Appendix A for default port list. 
6. From the Facility list, choose a facility LOCAL7. 
7. From the Severity list, choose a severity INFO. 
8. Click Save. 
Graphical user interface, website

Description automatically generated
Configuration for sending the Traffic Events 
1.Navigate to ASA Firepower Configuration > Policies > Access Control Policy 
2.Edit the access rule and navigate to logging option. 
3.Select log at Beginning and End of Connection options. 
4.Navigate to Send Connection Events to option , select Syslog, and then select a Syslog alert response. 
5.Click Save. 
Graphical user interface, text, application

Description automatically generated
 https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html 
Cisco VPN 3000 Concentrator 
Follow the below steps to configure the VPN Concentrator: 
1.Configuring Syslog Server  
2.Login to the Cisco VPN 3000 Concentrator Management console. 
3.Go to Configuration > System> Events >Syslog Servers 
4.Click the Add button 
5.In the Syslog Server text box enter the IP Address of the machine Log Collector is running. 
6.Enter the Port value. Check Appendix A for default port. 
7.Facility is Local 7 
8.​
9.Configuring Syslog Events  
10.Go to Configuration > System> Events >General 
11.For Syslog Format you can either select Original or Cisco IOS Compatible format. 
12.For Events to Syslog select Severities 1-5 
13.All other configurations are default for this page. 
14.Click Apply button 
For more information, refer the Cisco VPN Concentrator documentation. 
Cisco IOS Switch 
Follow the below steps to configure the Cisco IOS Switch: 
1.Login to the Cisco IOS console or Telnet to the device. 
2.Change the configuration mode of the device.  
Use the following command: 
configure terminal 
1.Enable logging by using the following commands: 
logging on 
logging trap informational 
logging <IP Address of Log Collector> 
1.If there is a Firewall module in the IOS device, use the following command to enable audit trail. This will generate traffic information. 
ip inspect audit-trail 
For more information, refer the Cisco IOS Switch documentation. 
Cisco ASA using ASDM 
Load the ASDM. 
Select Configuration > Device Management > Logging > Logging Setup. 
Graphical user interface, text, application, email

Description automatically generated
Select Enable Logging. 
Select Logging > Logging Filters. 
Choose the syslog-servers as Informational. 
Select Logging > Syslog servers. 
Click Add. 
Graphical user interface, application

Description automatically generated
Enter the IP address of Log Collector and choose the appropriate interface. Also, ensure that you choose UDP and enter the port number 514 or 1514. Check Appendix A for default log ports. 
Select Logging > Syslog Setup. 
Select Include time stamp in syslogs option and scroll down to ensure the syslog IDs 302013, 302014, 302015 & 302016 are in enabled state and the logging level is set to Informational. 
Disable Logging 
You can disable specific syslog IDs based on your requirement.  
Note: 
By selecting the check mark for the Include timestamp in syslogs option, you can add the date and time that they were generated as a field to the syslogs. 
 Select the syslogs to disable and click Edit. 
From the Edit Syslog ID Settings window, select the Disable messages option and click OK. 
The disabled syslogs can be viewed in a separate tab by selecting Disabled syslog IDs from the Syslog ID Setup drop-down menu. 
CISCO ROUTER  
To configure Cisco Router to send syslog messages 
Enter the command: 
enable 
To enter privileged EXEC mode. 
Enter the command: 
configure terminal 
This will allow you to enter global configuration mode. 
Enter the command: 
logging host 
Replace host with Log Collector IP Address. 
Enter the command: 
logging trap level 
Specify the level as per requirement. 
Where: 
Emergency: 0 
Alert: 1 
Critical: 2 
Error: 3 
Warning: 4 
Notice: 5 
Informational: 6 
Debug: 7 
Enter the command: 
logging facility local7 
Default facility-type value is local7.  
Enter the command: 
end 
To save changes and exit global configuration mode. 
To display changes made enter command: 
show logging 
This displays logging configuration. Verify configuration. 
CISCO SOURCEFIRE 
To Forward Cisco Sourcefire Ids Intrusion Alerts 
Log in to the SourceFire IDS using web interface. 
Go to Policies > Intrusion > Intrusion Policy. 
Locate the policy you want to apply and select Edit. 
Click Advanced Settings. 
In the list, locate Syslog Alerting and set it to Enabled. 
In the Logging Hosts field, type the IP address of Log Collector. 
Choose an appropriate Facility and Severity from the listbox. 
Near the top-left of the page, click Policy Information. 
Click Commit Changes. 
CISCO IRONPORT 
To configure IronPort device to send syslog events, please follow the following steps: 
Log in to Cisco IronPort user interface. 
Select System Administration \ Log Subscriptions. 
Click Add Log Subscription. 
Configure the following values: 
Log Type - Define a log subscription for both Ironport Text Mail Logs and System Logs. 
Log Name - Type a log name. 
File Name - Use the default configuration value. 
Maximum File Size - Use the default configuration value. 
Log Level - Select Information (Default). 
Retrieval Method - Select Syslog Push. 
Hostname - Type the IP address of Log Collector. 
Protocol - Select UDP. 
Facility - Use the default configuration value. This value depends on the configured Log Type. 
Save the subscription. 
CISCO NEXUS SWITCH 
To forward Cisco Nexus Switch logs, make the following configuration 
Type the following command to switch to configuration mode: 
config t 
Type the following commands: 
logging server <IP ADDRESS OF LOG COLLECTOR> <SEVERITY> 
Type the following to configure the interface for sending syslog events: 
logging source-interface loopback 
Type the following command to save your current configuration as the start-up configuration: 
copy running-config startup-config 
CISCO VPN CONCENTRATOR 
To configure Cisco VPN concentrator and send syslog messages 
Log in to the VPN concentrator using web interface. 
Go to Configuration > System > Events > Syslog Servers 
Select Add 
Enter the IP address of the “Local Collector” and choose facility level from the facility drop down menu. 
Next, return to the Syslog Server page by clicking Add again. 
Cisco VPN Syslog GUI
CONFIGURE EVENTS 
Go to Configuration > Events > System > General. 
Select the event options based on the severity to the syslog drop down menus and click Apply. 
Cisco VPN configure event handling
To save changes click on the Save button. 
NetScreen Firewall 
Enable Syslog Messages and Disable WebTrends Messages using the NetScreen Administration Tools Console  
1.Log in to the NetScreen GUI. 
2.Click Configuration> Report Settings> Syslog in the left pane of the NetScreen GUI. 
3.Select the Enable Syslog Messages check box. 
4.Select the Trust Interface as Source IP for VPN and Include Traffic Log check box. 
5.Type the IP address of the “Log Collector” and syslog port (514) in the Syslog Host Name / Port text box. 
6.All other fields will have default values. 
7.Click Apply to save the changes. 
8.Click Configuration> Report Settings> WebTrends in the left pane of the NetScreen GUI 
9.Clear the Enable WebTrends Messages check box. 
10.Click Apply to save the changes. 
To configure Syslog, perform the following steps: 
1.Open the WebUI. 
2.From the ScreenOS console menu, click Configuration, select Report Settings, and then click Syslog. 
A picture containing graphical user interface, application

Description automatically generated
1.From the Syslog page, click to select Enable Syslog Messages. 
Note: 
From the 'Source interface' drop-down menu, select the interface from which syslog packets are sent. 
Graphical user interface, text, application

Description automatically generated
1.Enter the necessary information for each syslog server you are adding. Syslog messages can be sent to up to 4 designated syslog servers.  
Enable: Select this option to enable the syslog server. 
IP/ Hostname: The IP address of the “Log Collector”.. 
Port: In the Port field, enter the port the server uses for syslog messages. Please check Appendix A for default port list. 
Security Facility: The security facility, which classifies and sends security specific messages to the syslog host. 
Facility: The regular facility, which classifies and sends all other messages for events unrelated to security. 
Event Log: Select this option to send event log entries to the syslog host. 
Traffic Log: Select this option to send traffic log entries to the syslog host. 
For this example, 192.168.1.2 has been used as the Syslog Host Name. It is recommended to leave the Syslog port as the default value (514): 
 
 
1.Click APPLY to save the syslog configuration.  
Table

Description automatically generated
Caution: 
Uncheck the TCP option. This will make the firewall to send syslogs in the configured UDP port. 
Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console: 
Execute the following commands to configure syslog via CLI:  
set syslog config 192.168.1.2 
set syslog config 192.168.1.2 facilities local0 local0 
set syslog config 192.168.1.2 log traffic 
set syslog src-interface <<interface name>> 
set syslog enable 
NOTE: The difference between “security facility” and “facility” is that “security facility” is specific for logging of security related events. Facility logs all other events. 
Palo Alto Firewalls 
Configure Syslog Monitoring 
To use Syslog to monitor a Palo Alto Networks device, create a Syslog server profile and assign it to the device log settings for each log type.  
A picture containing timeline

Description automatically generated
Configure a Syslog server profile 
You can use separate profiles to send syslogs for each log type to a different server. To increase availability, define multiple servers (up to four) in a single profile. 
Graphical user interface, application

Description automatically generated
Select Device > Server Profiles > Syslog 
Click Add and enter a Name for the profile 
If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available. 
For each syslog server, click Add and enter the information that the firewall requires to connect to it:  
Name —Unique name for the server profile. 
Server —IP address or fully qualified domain name (FQDN) of the syslog server. 
Transport —Select TCP, UDP, or SSL as the method of communication with the syslog server. 
Port —The port number on which to send syslog messages (default is UDP on port 1514); you must use the same port number on the firewall and the syslog server. 
Format —Select the syslog message format to use: BSD (the default) or IETF. Traditionally, BSD format is over UDP and IETF format is over TCP or SSL. 
Facility —Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages. 
(Optional) To customize the format of the syslog messages that the firewall sends, select the Custom Log Format tab. For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide. 
Click OK to save the server profile. 
Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs 
Create a log forwarding profile  
Graphical user interface, table

Description automatically generated
Select Objects > Log Forwarding, click Add, and enter a Name to identify the profile. 
For each log type and each severity level or WildFire verdict, select the Syslog server profile and click OK. 
Assign the log forwarding profile to security rules. 
A screenshot of a video game

Description automatically generated
 Configure security policy rule action as log forwarding 
Select Policies > Security 
Click the policy in which you want to configure log forwarding 
Select Actions 
Select the profile to which the logs to be forwarded in Log Forwarding dropdown list. 
Click OK  
Graphical user interface, website

Description automatically generated
Graphical user interface

Description automatically generated
 Configure syslog forwarding for System, Config, HIP Match, and Correlation logs 
Select Device > Log Settings. 
For System and Correlation logs, click each Severity level, select the Syslog server profile, and click OK. 
For Config, HIP Match, and Correlation logs, click the Edit icon, select the Syslog server profile, and click OK. 
Graphical user interface

Description automatically generated
 Commit your changes and review the logs on the syslog server 
Click Commit 
To review the logs, refer to the documentation of your syslog management software. You can also review the Syslog Field Descriptions. 
Graphical user interface

Description automatically generated
Juniper 
Configuring to send Syslog Messages from SRX device 
 Using J-Web 
1.Log in to the Juniper SRX device. 
2.Click Configure > CLI Tools > Point and Click CLI in the Juniper SRX device. 
3.Expand System and click Syslog. 
4.In the Syslog page, click Add New Entry placed next to 'Host'. 
5.Enter the IP address of the “Log Collector” 
6.Click Apply to save the configuration. 
Using CLI 
1.Log in to the Juniper SRX device CLI console. 
2.Execute the following command: 
[email protected]#  set system syslog host <IP address of the Log Collector> any any 
Graphical user interface, text, application, email

Description automatically generated
To enable logging for Security policy: 
Using J-Web 
Select Configure > Security > Policy > FW Policies. 
Click on the policy for which you would like to enable logging. 
Navigate to Logging/Count and in Log Options, select Log at Session Close Time. 
Using CLI 
1.Log in to the Juniper SRX device CLI console. 
2.Execute the following command: 
[email protected]# set security policies from-zone trust to-zone untrust policy permit-all then log session-close 
Graphical user interface, text, application, email

Description automatically generated
Juniper Networks IDP Device (version IDP 50) 
 Configuring to send Syslog Messages directly from Sensor 
1.Log in to the Juniper Networks IDP device. 
2.Click Device > Report Settings > Enable Syslog in the Juniper Networks IDP device. 
3.Select the Enable Syslog Messages check box. 
4.Click Apply to save the changes. 
This configuration will generate syslogs for: 
All attacks 
Policy load 
Restart 
This configuration will not provide: 
Profiler logs 
Device connect/disconnect logs 
Interface UP/DOWN logs 
Logs for Bypass State Changes  
Sonicwall 
Configuring SonicWALL To Direct Log Streams  
1.Log in to the SonicWALL appliance 
2.Click Log on the left side of the browser window 
3.Select the Log Settings tab 
4.Type the IP address of the “Log Collector” server in the Syslog Server text box 
5.Click Update at the bottom of the browser window 
Configuring SonicWALL Logging Level 
1.Log in to the SonicWALL appliance 
2.Click Log on the left side of the browser window 
3.Select the View tab 
4.Select the Logging Level as Informational from the combo box 
5.Click Update at the bottom of the browser window 
Whenever you create an access rule in the SonicWALL Firewall, ensure that 'Enable Logging' check box is selected for the particular rule. 
Restart the SonicWALL appliance for the changes to take effect.  
Checkpoint 
Log Exporter - Check Point Log Export 
Log Collector supports Log Exporter for R77.30, R80.10, R80.20 and later versions. 
Installation 
R80.20 
Log Exporter is already integrated in version R80.20. There is no need to install dedicated package. 
Note:​ 
1.In order to preserve the Log Exporter configuration before upgrading to R80.20, please follow sk127653 - How to backup and restore Log Exporter configuration on upgrade to R80.20 
2.In order to support exporting logs in CEF format, please install R80.20 Jumbo Hotfix Take 5 and above. 
R80.10 
Install this release on a R80.10 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server. 
Note:​ 
1.Log Exporter can be installed on top of R80.10 Jumbo Hotfix Take 56 and above. 
2.This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place. 
3.Take care to install the latest Log Exporter take available for download below, in order to avoid a conflict with the Jumbo HF. 
R77.30 
Install this release on a R77.30 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server. 
Note:​ 
Log Exporter can be installed on top of R77.30 Jumbo Hotfix Take 292 and above. 
**This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place. 
Version 
Date 
CPUSE Online Identifier 
CPUSE offline package 
R80.10 
20 January 2019 
Check_Point_R80.10_Log_Exporter_T43_sk122323_FULL.tgz 
(TGZ) 
R77.30 
06 November 2018 
Check_Point_R77.30_Log_Exporter_T30_sk122323_FULL.tgz 
(TGZ) 
Install the hotfix using CPUSE, see sk92449. 
Configure Log Exporter to forward Syslogs using CLI 
After applying the hot fix, the firewall will restart automatically, you have to restart the Check Point firewall, once again. 
1.Telnet/SSH the Check Point firewall and enter the below command. 
cp_log_export add name <name> target-server <Log Collector IP Address> target-port 1514 protocol udp format cef 
1.The new log exporter does not start automatically. To start it run: 
cp_log_export restart name <name> 
Blue Coat Proxy Logs 
TO FORWARD BLUE COAT LOGS USING WEB INTERFACE 
1.Log in to the GUI on Blue Coat appliance. 
2.Select Configuration > Access Logging > Logs > Upload Client. 
3.From the Log list, select the log that contains your custom format. 
4.From the Client type list, select Custom Client. 
5.Click Settings. 
6.From the Settings For list, select Primary Custom Server. 
7.In the Host field, type the IP address of your Log Collector. 
8.In the Port field, type <port number> (Check Appendix A for default port list). 
9.Click OK. 
10.Select the Upload Schedule tab. 
11.From the Upload the access log list, select Continuously. 
12.Click Apply. 
TO FORWARD BLUE COAT PROXY LOGS USING CLI 
1.At the root configure mode, Enter the command 
syslog view 
To view the default configuration. 
1.To change the facility, enter the command 
syslog facility <facility> 
1.where facility is the category which should be sent to Log Collector. 
2.To start logging to the specified facility, enter the command 
syslog add <Log Collector IP Address> 
1.To verify that the host and facility are correct, enter the command 
syslog view 
1.Confirm the changes. 
Tipping Point 
To forward Tipping Point IPS logs to the Log Collector, the required steps are as follows: 
Log in to the Tipping Point system using GUI. 
On the Admin Navigation menu, select Server Properties. 
Select the Management tab. 
Click Add. 
The Edit Syslog Notification window is displayed. 
Select the Enable check box. 
Configure the following values: 
Syslog Server - Type the IP address of the Log Collector 
Port - Type 514 as the port address. Check Appendix A for default port list. 
Log Type - Select SMS 2.0 / 2.1 Syslog format from the list. 
Facility - Select Log Audit from the list. 
Severity - Select Severity in Event from the list. 
Delimiter - Select TAB as the delimiter for the generated logs. 
Include Timestamp in Header - Select Use original event timestamp. 
Select the Include SMS Hostname in Header check box. 
Click OK. 
FireEye 
To Forward Fireeye Logs  
1.Log in to the FireEye appliance by using the CLI. 
2.To activate configuration mode, type the following commands: 
enable 
configure terminal 
1.To enable rsyslog notifications, type the following command: 
fenotify rsyslog enable 
1.To add BluSapphire Log Collector as a rsyslog notification consumer, type the following command: 
fenotify rsyslog trap-sink blus 
1.To specify the IP address for the “Log Collector” system that you want to receive rsyslog trap-sink notifications, type the following command: 
fenotify rsyslog trap-sink blus address <Log Collector_IP_address> 
1.To define the rsyslog event format, type the following command: 
fenotify rsyslog trap-sink blus prefer message format cef 
1.To save the configuration changes to the FireEye appliance, type the following command: 
write memory 
To Forward Fireeye NX Alert Logs 
1.Log in to the FireEye NX using web interface. 
2.Go to Settings > Notifications 
3.Tick rsyslog to enable a Syslog notification configuration. 
4.Enter a name to label your FireEye connection to the “Log Collector” in the Name field. 
5.Click the Add Rsyslog Server button. 
6.Enter the <Log Collector IP Address> in the IP Address field. 
7.Tick the Enabled check box. 
8.Select Per event in the Delivery drop-down list. 
9.Select All Events from the Notifications drop-down list. 
10.Select CEF as the Format drop-down list. Other formats are not supported. 
11.Leave the Account field empty. 
12.Select UDP from the Protocol drop-down list. 
13.Click the Update button. 
UBUNTU  
To forward Audit logs  
Install syslog package, if you haven’t installed it by executing the below command: 
apt-get install rsyslog 
Open the rsyslog.conf file located at /etc/rsyslog.conf by following command:  
vim /etc/rsyslog.conf 
At the end of the file check for the following line and uncomment: 
$IncludeConfig /etc/rsyslog.d/*.conf 
# Include all config files in /etc/rsyslog.d/ 
$IncludeConfig /etc/rsyslog.d/*.conf 
Save and Quit the configuration file. 
Open a auditd.conf file located at /etc/audit/auditd.conf by following command. 
$ vim /etc/audit/auditd.conf 
log_group = syslog 
Save & Quit the configuration file. 
Restart auditd service to reflect the changes. 
$ /etc/init.d/auditd restart 
Create log configuration for Audit logs with vim /etc/rsyslog.d/auditlog.conf and paste following lines below 
$ModLoad imfile 
# auditd audit.log 
$InputFileName /var/log/audit/audit.log ##path of log file 
$InputFileTag tag_audit_log: 
$InputFileStateFile audit_log 
$InputFileSeverity info 
$InputFileFacility local6 
$InputRunFileMonitor 
local6.* @<LogCollector-IP>:514 
Save and Quit the configuration file. 
Restart rsyslog service 
service rsyslog restart 
CENTOS-RHEL 
To forward Audit logs  
Install syslog package, if you haven’t installed it 
yum -y install rsyslog 
Checking the rsyslog.conf 
Open a rsyslog.conf file located at /etc/rsyslog.conf by following command 
vim /etc/rsyslog.conf 
At the end of the file check for the following line and uncomment 
$IncludeConfig /etc/rsyslog.d/*.conf 
# Include all config files in /etc/rsyslog.d/ 
$IncludeConfig /etc/rsyslog.d/*.conf 
Save and Quit the configuration file. 
Create log configuration for Audit logs with vim /etc/rsyslog.d/auditlog.conf and paste following lines below 
$ModLoad Imfile 
# auditd audit.log 
$InputFileName /var/log/audit/audit.log ##path of log file 
$InputFileTag tag_audit_log: 
$InputFileStateFile audit_log 
$InputFileSeverity info 
$InputFileFacility local6 
$InputRunFileMonitor 
$WorkDirectory /var/lib/rsyslog 
$ActionQueueFileName fwdRule1 # unique name prefix for spool files 
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) 
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown 
$ActionQueueType LinkedList # run asynchronously 
$ActionResumeRetryCount -1 
local6.* @<Log Collector IP>:514 
Save and Quit the configuration file. 
Restart rsyslog service 
service rsyslog restart 
CITRIX ACCESS GATEWAY 
Log in to your Citrix Access Gateway web interface 
Click the Access Gateway Clustertab 
Select Logging/Settings 
In the Server field, type the IP address of Log Collector. 
From the Facility list, select a syslog facility level. 
In the Broadcast interval (mins), type 0 to continuously forward syslog events. 
Click Submit to save changes. 
SYMANTEC AV 
To forward Symantec AV logs, make the following configuration: 
Log in to Symantec AV using web interface 
In the Console, click Admin. 
Click Servers. 
Click the local site or remote site that you want to export log data from. 
Click Configure External Logging.  
On the General tab, in the Update Frequency List box, select how often to send the log data. 
In the Master Logging Server list box, select the management server to send the logs to. 
If you use SQL Server and connect multiple management servers to the database, specify only one server as the Master Logging Server. 
Check Enable Transmission of Logs to a Syslog Server. 
Provide the following information: 
Syslog Server 
Type the IP Address of the “Log Collector”. 
Destination Port 
Select the protocol to use, and type the destination port that the Syslog server uses to listen for Syslog messages. 
Log Facility 
Type the number of the log facility that you want to use, or use the default 7 
On the Log Filter tab, check which logs to export. 
Click OK. 
DarkTrace 
Configuring DarkTrace IDS Syslog  
To configure Darktrace to send Syslog to the BluSapphire Log Collector, you must be a Darktrace administrator with access to the user interface.  
1. Log in to the Darktrace interface.  
2. Expand the top left menu and select Admin, a second menu appears.  
3. Select the System Config page. 
4. In the “Alerting” section, click the Verify Alert Settings button.  
5. In “JSON Syslog Alerts,” set the field to True.  
6. Set the JSON Syslog server to the IP address of the “Log Collector”.  
7. Set the JSON Syslog server port <port>. Check Appendix A for default port. 
8. Set “JSON Syslog TCP Alerts” to True. 

Nutanix
1.Connect to a Controller VM (CVM) in the cluster using SSH.
2.Enter the ncli command to log into the ncli prompt          
[email protected]$ ncli
<ncli>   
Note: "<ncli>" is the ncli prompt.             
3.The remote syslog server is enabled by default, disable it while you configure the settings.            
<ncli> rsyslog-config set-status enable=false       
4.Add a rsyslog server using the command which adds it to the cluster.    
<ncli> rsyslog-config add-server name=<remote_server_name> ip-address=<remote_server_address> port=<rsyslog port> network-protocol=udp relp-enabled=false  
5.Choose a module to forward log information from and specify the level of information to collect.                
<ncli> rsyslog-config add-module server-name=<remote_server_name> module-name=<module_name> level=<log_level>            
​
Replace <module_name> with one of the following:
a.       ACROPOLIS
b.      AUDIT
c.       CASSANDRA
d.      CEREBRO
e.       CURATOR
f.        GENESIS
g.      PRISM
h.      STARGATE
i.        SYSLOG_MODULE
j.        ZOOKEEPER   
 Enable module logs at the ERROR level unless you require more information, replace <log_level> with one of the following:   
       a. EMERGENCY
       b. ALERT
       c. CRITICAL
       d. ERROR
       e. WARNING
       f. NOTICE
       g. INFO
       h. DEBUG
6. For e.g.: Once you configure level 6 (it's info), it also covers level 0,1,2,3,4,5 + level 6. For e.g. if you select "INFO" for a module, you don't have to select ALERT for the same module.
7. Enable the rsyslog server.            
<ncli> rsyslog-config set-status enable=true        
8. Logs should start forwarding to the remote syslog server.             
9. Show the current rsyslog server setting and modules added.       
<ncli> rsyslog-config ls <ncli> rsyslog-config ls-modules server-name=<rsyslog_name>

SAP
SAP stores logs in binary format by default. A schedule task to dump logs in CSV format has to be created in SAP.
1.Save SAP logs on particular folder (eg: /opt/g14/saplogs/) on the system/server in csv format.
2.Schedule an activity in SAP to generate the audit logs in required intervals (eg: hourly).
3.Download and install filebeat latest version by using below link.
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html
4.Before starting Filebeat Edit filebeat.yml file
File path: C:\Program Files\filebeat\filebeat.yml
5.In Filebeat input session, can modify input enabled field False to true
​
5. Place your log folder path(step-2) under paths field.
6. Under Elastic search output session, put # to all lines.
7. Under Logstash output session, remove comments (#) and place IP and Port.
8. Modify localhost to Log collector IP and modify port number (provided by blusapphire).
9. After configuration is completed then Start the Filebeat service on PowerShell
PS C:\Program Files\filebeat> Start-Service filebeat
Cisco Meraki Firewall 
1.Open your Meraki dashboard as an administrator
2.Select the device you’d like to use
3.Select Network-Wide
4.Under the Configure Header – Select General
5.Scroll down to the Reporting Section
6.Select “Add New Syslog Server”
1.Type the IP address of your Blumira Sensor
2.Type port number (Check with Deployment Support team).
3.Add in Event Log, Flows, URL
7.Scroll to the bottom of the page and Save Changes

GPO for Service Account, WinRM and WMI

Mirror / SPAN port configuration

Last modified 12d ago

Copy link

Outline

Configuring RuleSets for Logging Traffic

Enable traffic:

TO FORWARD FORTIMANAGER 4.3.X LOGS

TO FORWARD FORTIMANAGER 5.0.X UP TO 5.0.6 LOGS

TO FORWARD FORTIMANAGER 5.0.7 AND ABOVE VERSION LOGS

Enable sending FortiManager local logs

Cisco ASA with FirePOWER services

Cisco VPN 3000 Concentrator

Cisco IOS Switch

Cisco ASA using ASDM

Disable Logging

CISCO SOURCEFIRE

CISCO NEXUS SWITCH

CISCO VPN CONCENTRATOR

CONFIGURE EVENTS

NetScreen Firewall

Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:

Palo Alto Firewalls

Configure Syslog Monitoring

Configure a Syslog server profile

Create a log forwarding profile 

 Configure security policy rule action as log forwarding

 Configure syslog forwarding for System, Config, HIP Match, and Correlation logs

Configuring to send Syslog Messages from SRX device

 Configuring to send Syslog Messages directly from Sensor

Configuring SonicWALL To Direct Log Streams 

Configuring SonicWALL Logging Level

Blue Coat Proxy Logs

TO FORWARD BLUE COAT LOGS USING WEB INTERFACE

TO FORWARD BLUE COAT PROXY LOGS USING CLI

To Forward Fireeye NX Alert Logs

To forward Audit logs

CITRIX ACCESS GATEWAY

Configuring DarkTrace IDS Syslog

Cisco Meraki Firewall