Difference between revisions of "Export logs via Syslog"
From Tech-Wiki
(One intermediate revision by the same user not shown) | |||
Line 6: | Line 6: | ||
1. Add the below lines in the /etc/rc.d/init.d/cpboot file. | 1. Add the below lines in the /etc/rc.d/init.d/cpboot file. | ||
− | fw log -f -t -n -l 2> /dev/null | awk | + | fw log -f -t -n -l 2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall & |
2. After this we are able to see the firewall logs in the /var/log/message directory in addition to the original firewall logs as well. | 2. After this we are able to see the firewall logs in the /var/log/message directory in addition to the original firewall logs as well. | ||
− | 3. Now, send these messages to remote syslog server. Configure the following in | + | 3. Now, send these messages to remote syslog server. Configure the following in clish: |
> add syslog log-remote-address <IP-address_of_Syslog_Server> level info | > add syslog log-remote-address <IP-address_of_Syslog_Server> level info | ||
− | If you want to forward directly from gateways to syslog devices instead, create an OPSEC Syslog server, set the gateway to forward logs to this server, then set this flag on gateway: | + | If you want to forward directly from gateways to syslog devices instead, create an OPSEC Syslog server (which require add-on sk105412), set the gateway to forward logs to this server, then set this flag on gateway: |
# fw ctl set int fwsyslog_enable 1 | # fw ctl set int fwsyslog_enable 1 | ||
And push the policy. (remember to set this to $FWDIR/boot/modules/fwkern.conf to persist across reboots) | And push the policy. (remember to set this to $FWDIR/boot/modules/fwkern.conf to persist across reboots) |
Latest revision as of 18:38, 25 February 2019
Forwarding Traffic Logs stored on the Management Server to Syslog Server
1. Add the below lines in the /etc/rc.d/init.d/cpboot file.
fw log -f -t -n -l 2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &
2. After this we are able to see the firewall logs in the /var/log/message directory in addition to the original firewall logs as well.
3. Now, send these messages to remote syslog server. Configure the following in clish:
> add syslog log-remote-address <IP-address_of_Syslog_Server> level info
If you want to forward directly from gateways to syslog devices instead, create an OPSEC Syslog server (which require add-on sk105412), set the gateway to forward logs to this server, then set this flag on gateway:
# fw ctl set int fwsyslog_enable 1
And push the policy. (remember to set this to $FWDIR/boot/modules/fwkern.conf to persist across reboots)