config log syslogd2 setting
set status enable
set server <IP>
set csv disable
set facility local7
set port 1514
set reliable disable
end <cr>
config log syslogd filter<cr>
set severity information<cr>
set traffic enable<cr>
set web enable<cr>
set email enable<cr>
set attack enable<cr>
set im enable<cr>
set virus enable<cr>
end <cr>
show log syslogd filter
" to list all available traffic. config fmsystem locallog syslogd setting
set server <IP address> ##Address of Log Collector
set severity <emergency | alert | critical | error | warning | notification | information | debug> ##Least severity level to log
set status <enable | disable>
set facility <facility> ##Which facility for remote syslog.
set port <port> ##Port that server listens at
end
config system locallog syslogd setting
set server <IP address> ##Address of Log Collector
set severity <emergency | alert | critical | error | warning | notification | information | debug> ##Least severity level to log
set status <enable | disable>
set facility <facility> ##Which facility for remote syslog.
set port <port> ##Port that server listens at.
End
config system syslog
edit <server name>
set ip <Log Collector-IP>
end
config system locallog syslogd setting
set syslog-name <Remote syslog server name,defined at previous step>
set severity <emergency | alert | critical | error | warning | notification | information | debug> ##Least severity level to log
set status <enable | disable>
set facility <facility> ##Which facility for remote syslog.
set port <port> ##Port that server listens at (514)
end
configure terminal
logging enable
logging timestamp
logging trap informational
logging device-id {context-name | hostname | ipaddress interface_name | string text}
logging host interface_name syslog_ip [udp/<syslog_port>]
logging on
logging trap informational
logging <IP Address of Log Collector>
ip inspect audit-trail
enable
configure terminal
logging host
logging trap level
logging facility local7
Default facility-type value is local7.
end
show logging
config t
logging server <IP ADDRESS OF LOG COLLECTOR> <SEVERITY>
logging source-interface loopback
copy running-config startup-config
Add
Add
again. set security policies from-zone trust to-zone untrust policy permit-all then log session-close
cp_log_export add name <name> target-server <Log Collector IP Address> target-port 1514 protocol udp format cef
cp_log_export restart name <name>
syslog view
syslog facility <facility>
syslog add <Log Collector IP Address>
syslog view
enable
configure terminal
fenotify rsyslog enable
fenotify rsyslog trap-sink blus
fenotify rsyslog trap-sink blus address <Log Collector_IP_address>
fenotify rsyslog trap-sink blus prefer message format cef
write memory
apt-get install rsyslog
vim /etc/rsyslog.conf
$IncludeConfig /etc/rsyslog.d/*.conf
$IncludeConfig /etc/rsyslog.d/*.conf
vim /etc/audit/auditd.conf
$ /etc/init.d/auditd restart
$ModLoad imfile
# auditd audit.log
$InputFileName /var/log/audit/audit.log ##path of log file
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.* @<LogCollector-IP>:514
service rsyslog restart
yum -y install rsyslog
vim /etc/rsyslog.conf
$IncludeConfig /etc/rsyslog.d/*.conf
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
$ModLoad Imfile
# auditd audit.log
$InputFileName /var/log/audit/audit.log ##path of log file
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1
local6.* @<Log Collector IP>:514
service rsyslog restart