Configure an external Syslog server
This topic describes how to collect logs from an external Syslog server. It is relevant only for servers running CentOS 7.
Note: Only AlgoSec appliances are supported for use as external syslog.
-
To forward ASMS Syslog messages to a remote Syslog server, see Configure ASMS to generate and send Syslog messages .
-
For information how to configure AFA to receive traffic and audit logs from defined devices, see Add devices to AFA.
Do the following:
Note: The username for connecting to the syslog server can be either root or another user.
-
Log in to the syslog server as user root.
-
If the user for connecting to the syslog server is other than root, run the following command:
chmod o+x /home/<user>
where <user> is the user other than root.
Then run the following to check if the user permissions are set (they should include -x flag):
ls -l /home/<user>
-
If you have rsyslog installed, remove it since it is a redundant package by running the commands:
yum remove -y rsyslog
rm -rf /var/lib/rsyslog
-
The following dependencies are required:
-
sharutils 4.13.3
-
syslog-ng 3.5.6
Tip: To check if you have them installed use the following command:
rpm -q sharutils syslog-ng
The correct output should be:
sharutils-4.13.3-8.el7.x86_64
syslog-ng-3.5.6-3.el7.x86_64
If dependencies are installed jump to the next step. Otherwise:
-
If you have internet connectivity: Run the following commands as root user to install them:
yum install -y epel-release
yum install -y sharutils syslog-ng
-
If you do not have internet connectivity: Install manually.
-
-
On the syslog server, open the following file for editing: /etc/syslog-ng/syslog-ng.conf.
-
In the following line, replace afa with the name of the user connecting to the syslog server.
include "/home/afa/algosec/syslog_processor/algosec_syslog-ng.conf";
-
For a user other than root:
include "/home/[username]/algosec/syslog_processor/algosec_syslog-ng.conf";
For example:
include "/home/msanchez/algosec/syslog_processor/algosec_syslog-ng.conf";
Note: This user is the username you configured in the SSH User Name or User Name field when you specified the syslog server in the AFA Administration > DEVICES SETUP area. For more details, see Add a new syslog server.
-
For a root user, replace text as follows:
include "/root/algosec/syslog_processor/algosec_syslog-ng.conf";
-
-
Save your changes to the syslog-ng.conf file.
-
In AFA, in the Syslog Server Settings dialog, click Test Connectivity to ensure that the connection works.
Tip: If you don't still have the Syslog Server Settings dialog open in the AFA Administration area, browse back to the Administration area > DEVICES SETUP > device details page for your device.
Scroll down to the Log Collection and Monitoring area, and click Edit to open the Syslog Server Settings dialog again.
-
Click OK and Finish to start the AFA installation process on the syslog server.
Note: You must complete the full device configuration wizard, clicking Next if there are multiple pages involved, through to the Finish button.D
-
Disable the following services on the external syslog server by running for each:
For the command, use service names as shown hereService
Service name (to be entered in command)
Command string HTTPD
httpd
chkconfig httpd off MONGO
mongod
chkconfig mongod off ACTIVEMQ
activemq
chkconfig activemq off POSTGRESQL
postgresql
chkconfig postgresql off
ALGOSEC_DFS
algosec-dfs
chkconfig algosec-dfs off MS_HADR
ms-hadr
chkconfig ms-hadr off AFF_BOOT
aff-boot
chkconfig aff-boot off MS_METRO
ms-metro
chkconfig ms-metro off MS_CLOUNDLICENSING
ms-cloudlicensing
chkconfig ms-cloudlicensing off MS_CONFIGURATION
ms-configuration
chkconfig ms-configuration off MS_VULNERABILITIES
ms-vulnerabilities
chkconfig ms-vulnerabilities off MS_MAP_DIAGNOSTICS
ms-mapDiagnostics
chkconfig ms-mapDiagnostics off MS_WATCHDOG
ms-watchdog
chkconfig ms-watchdog off MS_BACKUP_RESTORE
ms-backuprestore
chkconfig ms-backuprestore off MS_BATCH
ms-batch-application
chkconfig ms-batch-application off
MS_DEVICE_MANAGER
ms-devicemanager
chkconfig ms-devicemanager off MS_TRAFFIC_LOG_MANAGER
ms-trafficlogmanager
chkconfig ms-trafficlogmanager off MS_BFLOW
ms-bflow
chkconfig ms-bflow off MS_DEVICE_DRIVER_AWS
ms-devicedriver-aws
chkconfig ms-devicedriver-aws off MS_DEVICE_DRIVER_AZURE
ms-devicedriver-azure
chkconfig ms-devicedriver-azure off MS_VALIDATION
ms-validation
chkconfig ms-validation off MS_POLICY_OPTIMIZATION
ms-policy-optimizations
chkconfig ms-policy-optimizations off MS_AUTODISCOVERY
ms-autodiscovery
chkconfig ms-autodiscovery off MS_CLOUDFLOW_BROKER
ms-cloudflow-broker
chkconfig ms-cloudflow-broker off MS_AAD_LOG_SENSOR
ms-aad-log-sensor
chkconfig ms-aad-log-sensor off MS_MULTIPUSH
ms-multipush
chkconfig ms-multipush off NETWORK_SENSOR
networksensor
chkconfig networksensor off KIBANA
kibana
chkconfig kibana off ELASTIC
elasticsearch
chkconfig elasticsearch off LOG_STASH
logstash
chkconfig logstash off ALGOCARE
algocare
chkconfig algocare off CHISEL
chisel
chkconfig chisel off chkconfig <service name> off
-
Restart the syslog server to implement the new configuration. To do this, on the syslog server, run the following command as user root:
service syslog-ng restart
Your syslog-ng server is now ready to use.
Note: If the following message appears: Plugin module not found .. module='afsql', ignore this message.
Note: If you are working with a Check Point Eventia system, you must also install a plug-in before you can view AFA messages in Eventia. For more details, contact Check Point to obtain the plug-in.
â Next steps: