Configure log collection from an external Syslog server

This topic describes how to collect logs from an external Syslog server. It is relevant only for servers running CentOS 7.

Note: Only AlgoSec appliances are supported for use as external syslog.

Do the following:

Note: The username for connecting to the syslog server can be either root or another user.

  1. Log in to the syslog server as user root.

  2. If the user for connecting to the syslog server is other than root, run the following command:

    chmod o+x /home/<user>

    where <user> is the user other than root.

    Then run the following to check if the user permissions are set (they should include -x flag):

    ls -l /home/<user>
  3. If you have rsyslog installed, remove it since it is a redundant package by running the commands:

    yum remove -y rsyslog

    rm -rf /var/lib/rsyslog

  4. The following dependencies are required:

    • sharutils 4.13.3

    • syslog-ng 3.5.6

    Tip: To check if you have them installed use the following command:

    rpm -q sharutils syslog-ng

    The correct output should be:

    sharutils-4.13.3-8.el7.x86_64

    syslog-ng-3.5.6-3.el7.x86_64

    If dependencies are installed jump to the next step. Otherwise:

    1. If you have internet connectivity: Run the following commands as root user to install them:

      yum install -y epel-release

      yum install -y sharutils syslog-ng

    2. If you do not have internet connectivity: Install manually.

  5. On the syslog server, open the following file for editing: /etc/syslog-ng/syslog-ng.conf.

  6. In the following line, replace afa with the name of the user connecting to the syslog server.

    include "/home/afa/algosec/syslog_processor/algosec_syslog-ng.conf";
    • For a user other than root:

      include "/home/[username]/algosec/syslog_processor/algosec_syslog-ng.conf";

      For example:

      include "/home/msanchez/algosec/syslog_processor/algosec_syslog-ng.conf";

      Note: This user is the username you configured in the SSH User Name or User Name field when you specified the syslog server in the AFA Administration > DEVICES SETUP area. For more details, see Add a new syslog server.

    • For a root user, replace text as follows:

       include "/root/algosec/syslog_processor/algosec_syslog-ng.conf";
  7. Save your changes to the syslog-ng.conf file.

  8. In AFA, in the Syslog Server Settings dialog, click Test Connectivity to ensure that the connection works.

    Tip: If you don't still have the Syslog Server Settings dialog open in the AFA Administration area, browse back to the Administration area > DEVICES SETUP > device details page for your device.

    Scroll down to the Log Collection and Monitoring area, and click Edit to open the Syslog Server Settings dialog again.

  9. Click OK and Finish to start the AFA installation process on the syslog server.

    Note: You must complete the full device configuration wizard, clicking Next if there are multiple pages involved, through to the Finish button.D

  10. Stop and disable the following services on the external syslog server by running for each:

  11. Restart the syslog server to implement the new configuration. To do this, on the syslog server, run the following command as user root:

    service syslog-ng restart

    Your syslog-ng server is now ready to use.

Note: If the following message appears: Plugin module not found .. module='afsql', ignore this message.

Note: If you are working with a Check Point Eventia system, you must also install a plug-in before you can view AFA messages in Eventia. For more details, contact Check Point to obtain the plug-in.

 

â Next steps: