Sending outgoing syslog messages

This section provides descriptions of how to configure ASMS to generate and send Syslog messages, as well as references of the messages generated.

Syslog messages

ASMS can send monitoring messages using the syslog system, which is a standard for forwarding log messages in an IP network. ASMS can send syslog messages to local or remote servers, and external systems can read ASMS's monitoring messages and act upon their content.

Supported external syslog systems include SEIM (Security Information and Event Management) or SOC (Security Operations Center) systems, such as ArcSight, Check Point Eventia, CA eTrust, NetIQ, and so on.

For more details, see:

ASMS syslog message syntax

ASMS stores syslog messages locally, in the /var/log/message directory, in CEF (Common Event Format).

Each message starts with a standard syslog prefix, including the event date and time, and the ASMS machine name. This prefix is followed by the CEF-standard, bar-delimited message format.

Syslog message headers have the following syntax:

CEF:0|AlgoSec|<Product Name>|<Version>|<Event>|<Event>|<Severity>|<Domain>|<Extension>

where:

  • <Product Name>: For example: Firewall Analyzer, FireFlow, AppViz, etc.
  • <Version> is the version string. For example: v3200.0.270-b132
  • <Event> items are readable text that designates the message type.
  • <Severity> is a number between 0-7 and varies by message.
  • <Domain> is the domain name or NONE, if domains are not enabled.
  • <Extension> items contain more details in a parameter=value format.

Back to top

Configure an external syslog server for ASMS messages

You can configure AFA to send syslog messages to your SIM/SOC system, allowing you to integrate your system with AFA.

To forward AFA's Syslog messages to a remote Syslog server instead of saving them locally, do the following:

  1. Login to AFA via SSH.

  2. Go to /etc/syslog-ng.

  3. Create a copy of the syslog-ng.conf file.

    cp syslog-ng.conf syslog-ng.conf.orig

  1. Edit the syslog-ng.conf file and add the following lines at the end of the file:

    destination d_remote
    {udp("IP ADDRESS" port(514)); }
    ;
    log
    { source(s_sys); destination(d_remote); }
    ;

    where <IP ADDRESS> is the name or IP address of the remote syslog server.

  2. Save the file.

  3. Reset the syslog-ng service:

    service syslog-ng restart

Back to top

 

â See also: