Configure log collection from an external Syslog server
This topic describes how to collect logs from an external Syslog server. It is relevant only for servers running CentOS 7.
Note: Only AlgoSec appliances are supported for use as external syslog.
-
To forward ASMS Syslog messages to a remote Syslog server, see Configure ASMS to generate and send Syslog messages .
-
For information how to configure AFA to receive traffic and audit logs from defined devices, see Add devices to AFA.
Do the following:
Note: The username for connecting to the syslog server can be either root or another user.
-
Log in to the syslog server as user root.
-
If the user for connecting to the syslog server is other than root, run the following command:
chmod o+x /home/<user>
where <user> is the user other than root.
Then run the following to check if the user permissions are set (they should include -x flag):
ls -l /home/<user>
-
If you have rsyslog installed, remove it since it is a redundant package by running the commands:
yum remove -y rsyslog
rm -rf /var/lib/rsyslog
-
The following dependencies are required:
-
sharutils 4.13.3
-
syslog-ng 3.5.6
Tip: To check if you have them installed use the following command:
rpm -q sharutils syslog-ng
The correct output should be:
sharutils-4.13.3-8.el7.x86_64
syslog-ng-3.5.6-3.el7.x86_64
If dependencies are installed jump to the next step. Otherwise:
-
If you have internet connectivity: Run the following commands as root user to install them:
yum install -y epel-release
yum install -y sharutils syslog-ng
-
If you do not have internet connectivity: Install manually.
-
-
On the syslog server, open the following file for editing: /etc/syslog-ng/syslog-ng.conf.
-
In the following line, replace afa with the name of the user connecting to the syslog server.
include "/home/afa/algosec/syslog_processor/algosec_syslog-ng.conf";
-
For a user other than root:
include "/home/[username]/algosec/syslog_processor/algosec_syslog-ng.conf";
For example:
include "/home/msanchez/algosec/syslog_processor/algosec_syslog-ng.conf";
Note: This user is the username you configured in the SSH User Name or User Name field when you specified the syslog server in the AFA Administration > DEVICES SETUP area. For more details, see Add a new syslog server.
-
For a root user, replace text as follows:
include "/root/algosec/syslog_processor/algosec_syslog-ng.conf";
-
-
Save your changes to the syslog-ng.conf file.
-
In AFA, in the Syslog Server Settings dialog, click Test Connectivity to ensure that the connection works.
Tip: If you don't still have the Syslog Server Settings dialog open in the AFA Administration area, browse back to the Administration area > DEVICES SETUP > device details page for your device.
Scroll down to the Log Collection and Monitoring area, and click Edit to open the Syslog Server Settings dialog again.
-
Click OK and Finish to start the AFA installation process on the syslog server.
Note: You must complete the full device configuration wizard, clicking Next if there are multiple pages involved, through to the Finish button.D
-
Stop and disable the following services on the external syslog server by running for each:
For the command, use service names as shown hereService
Service name (to be entered in command)
Command string HTTPD
httpd
systemctl disable --now httpd ACTIVEMQ
activemq
systemctl disable --now activemq POSTGRESQL
postgresql
systemctl disable --now
postgresql
ALGOSEC_DFS
algosec-dfs
systemctl disable --now algosec-dfs MS_HADR
ms-hadr
systemctl disable --now ms-hadr AFF_BOOT
aff-boot
systemctl disable --now aff-boot MS_METRO
ms-metro
systemctl disable --now ms-metro MS_CLOUNDLICENSING
ms-cloudlicensing
systemctl disable --now ms-cloudlicensing MS_CONFIGURATION
ms-configuration
systemctl disable --now ms-configuration MS_VULNERABILITIES
ms-vulnerabilities
systemctl disable --now ms-vulnerabilities MS_MAP_DIAGNOSTICS
ms-mapDiagnostics
systemctl disable --now ms-mapDiagnostics MS_WATCHDOG
ms-watchdog
systemctl disable --now ms-watchdog MS_BACKUP_RESTORE
ms-backuprestore
systemctl disable --now ms-backuprestore MS_BATCH
ms-batch-application
service
ms-batch-application
MS_DEVICE_MANAGER
ms-devicemanager
systemctl disable --now ms-devicemanager MS_TRAFFIC_LOG_MANAGER
ms-trafficlogmanager
systemctl disable --now ms-trafficlogmanager MS_BFLOW
ms-bflow
systemctl disable --now ms-bflow MS_DEVICE_DRIVER_AWS
ms-devicedriver-aws
systemctl disable --now ms-devicedriver-aws MS_DEVICE_DRIVER_AZURE
ms-devicedriver-azure
systemctl disable --now ms-devicedriver-azure MS_VALIDATION
ms-validation
systemctl disable --now ms-validation MS_POLICY_OPTIMIZATION
ms-policy-optimizations
systemctl disable --now ms-policy-optimizations MS_AUTODISCOVERY
ms-autodiscovery
systemctl disable --now ms-autodiscovery MS_CLOUDFLOW_BROKER
ms-cloudflow-broker
systemctl disable --now ms-cloudflow-broker MS_AAD_LOG_SENSOR
ms-aad-log-sensor
systemctl disable --now ms-aad-log-sensor stop MS_MULTIPUSH
ms-multipush
systemctl disable --now ms-multipush stop NETWORK_SENSOR
networksensor
systemctl disable --now networksensor KIBANA
kibana
systemctl disable --now kibana ELASTIC
elasticsearch
systemctl disable --now elasticsearch LOG_STASH
logstash
systemctl disable --now logstash CHISEL
chisel
systemctl disable --now chisel -
Restart the syslog server to implement the new configuration. To do this, on the syslog server, run the following command as user root:
service syslog-ng restart
Your syslog-ng server is now ready to use.
Note: If the following message appears: Plugin module not found .. module='afsql', ignore this message.
Note: If you are working with a Check Point Eventia system, you must also install a plug-in before you can view AFA messages in Eventia. For more details, contact Check Point to obtain the plug-in.
â Next steps: