Difference between revisions of "Export logs via Syslog"

From Tech-Wiki
Jump to: navigation, search
 
(One intermediate revision by the same user not shown)
Line 6: Line 6:
 
1. Add the below lines in the /etc/rc.d/init.d/cpboot file.
 
1. Add the below lines in the /etc/rc.d/init.d/cpboot file.
  
  fw log -f -t -n -l 2> /dev/null | awk ‘NF’ | sed /^$/d’ | logger -p local4.info -t CP_FireWall &
+
  fw log -f -t -n -l 2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &
  
 
2. After this we are able to see the firewall logs in the /var/log/message directory in addition to the original firewall logs as well.
 
2. After this we are able to see the firewall logs in the /var/log/message directory in addition to the original firewall logs as well.
  
3. Now, send these messages to remote syslog server. Configure the following in clash:
+
3. Now, send these messages to remote syslog server. Configure the following in clish:
  
 
  > add syslog log-remote-address <IP-address_of_Syslog_Server> level info
 
  > add syslog log-remote-address <IP-address_of_Syslog_Server> level info
  
If you want to forward directly from gateways to syslog devices instead, create an OPSEC Syslog server, set the gateway to forward logs to this server, then set this flag on gateway:
+
If you want to forward directly from gateways to syslog devices instead, create an OPSEC Syslog server (which require add-on sk105412), set the gateway to forward logs to this server, then set this flag on gateway:
  
 
  # fw ctl set int fwsyslog_enable 1
 
  # fw ctl set int fwsyslog_enable 1
  
 
And push the policy. (remember to set this to $FWDIR/boot/modules/fwkern.conf to persist across reboots)
 
And push the policy. (remember to set this to $FWDIR/boot/modules/fwkern.conf to persist across reboots)

Latest revision as of 18:38, 25 February 2019

Back to Gaia

Forwarding Traffic Logs stored on the Management Server to Syslog Server

1. Add the below lines in the /etc/rc.d/init.d/cpboot file.

fw log -f -t -n -l 2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &

2. After this we are able to see the firewall logs in the /var/log/message directory in addition to the original firewall logs as well.

3. Now, send these messages to remote syslog server. Configure the following in clish:

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

If you want to forward directly from gateways to syslog devices instead, create an OPSEC Syslog server (which require add-on sk105412), set the gateway to forward logs to this server, then set this flag on gateway:

# fw ctl set int fwsyslog_enable 1

And push the policy. (remember to set this to $FWDIR/boot/modules/fwkern.conf to persist across reboots)