Instructions for forwarding logs to your Log Management device

NETWORK INFRASTRUCTURE

Check Point Appliance

Check Point Enforcement Module

Cisco Internetwork Operating System (IOS) Switches and Routers

Cisco Adaptive Security Appliance (ASA)

Fortinet FortiGate

Fortinet FortiAnalyzer

Juniper Junos Pulse

Juniper Netscreen Firewall Appliance

Palo Alto Appliance

OPERATING SYSTEMS

 

Linux Server

Microsoft Windows Server

 

APPLICATIONS

 

Symantec Endpoint Protection Manager

 





Go to the Top

Check Point Appliance

 

PREREQUISITES

Check Point running Gaia OS

  • The IP Address for the Check Point
  • Credentials to access the Check Point appliance
  • Secure Shell (SSH) access configured on the Check Point appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Check Point appliance using a tool like PuTTY.

 

 

2

Log into CLISH by entering the Login name and Password and then clicking Enter.

Login name: login name

Password: login password

Click Enter.

 

 

3

Add the Clone Systems Log Management device using the add syslog command. Then click Enter to auto save the configuration changes.

HostName> add syslog log-remote-address { IP Address of Clone Systems Log collector } level info

Example: HostName> add syslog log-remote-address 10.1.1.1 level info

Click Enter.

 

 

4

Log off the Check Point Appliance by typing exit and then clicking Enter.

HostName> exit

 


Go to the Top

Check Point Enforcement Module

 

PREREQUISITES

Check Point Security Management Server running Gaia OS

  • The IP Address for the Check Point Security Management Server
  • Credentials to access the Check Point Security Management Server
  • Secure Shell (SSH) access configured on the Check Point Security Management Server

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Check Point appliance using a tool like PuTTY.

PuTTY: a free SSH and Telnet client

Note: These instructions are not supported on Multi-Domain Server.

 

 

2

Log into CLISH by entering the Login name and Password and then clicking Enter.

Login name: login name

Password: login password

Click Enter.

 

 

3

After logging in to CLISH you need to access the bash shell in expert mode.  Execute the expert command and enter the password to get to the bash shell.

[HostName]# expert

Password: expert password

Click Enter

 

 

4

Backup the cpboot script.

[Expert@HostName]# cp /etc/rc.d/init.d/cpboot /etc/rc.d/init.d/cpboot_ORIGINAL

 

 

5

Edit the current cpboot script using the VI editor.

[Expert@HostName]# vi /etc/rc.d/init.d/cpboot

 

 

6

Add the following line at the very bottom of the cpboot script.

fw log –f –t –n -1 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger –p local4.info –t CP_FireWall &

 

 

7

Save the changes and exit from the VI editor.

Press :wq

 

 

8

Reboot the Security Management Server.

[Expert@HostName]# reboot

Click Enter

 

 

9

If the Check Point Security Management Server logs do not appear on the Clone Systems Log Management device, then repeat the steps above and replace the following line at the very bottom of the cpboot script instead of the line noted in Step 5 above.

While read line ; do if [ “’echo — $line’” != “—“ ] ; then logger –p local4.err –t CP_FireWall $line ; fi ; done < <(fw log –f –t –n -1 2>/dev/null) &

 


Go to the Top

Cisco Internetwork Operating System (IOS) Switches and Routers

 

PREREQUISITES

Internetwork Operating System (IOS) Switches and Routers

  • The IP Address for the switch or router
  • Credentials to access the privileged mode for the switch or router
  • Secure Shell (SSH) access configured on the switch or router

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device
 

INSTRUCTIONS

1

Open a command prompt and SSH into the Cisco switch or router using a tool like PuTTY.

 

 

2

Get to privileged mode on the Cisco switch or router and enter the password.

Router> enable

Password: ************

 

 

3

Execute a configuration command from the terminal to get into global configuration mode.

Router# config t

 

4

To log system messages and debug output to the Clone Systems Log Management device, use the logging command in global configuration mode.

Router (config)# logging { IP Address of Clone Systems Log collector }

EXAMPLE: Router (config)# logging 10.1.1.1

 

5

Enable timestamps for debugging events.

Router (config)# service timestamps debug datetime localtime

 

6

Enable timestamps for log events.

Router (config)# service timestamps log datetime localtime

 

7

Set the appropriate logging trap level with the logging trap informational command.

Router (config)# logging trap informational

 

8

End the global configuration mode.

Router (config)# end

 

9

Save the configuration changes to NVRAM.

Router# copy run start

 

10

Log off the Cisco switch or router.

Router# exit



Go to the Top

Cisco Adaptive Security Appliance (ASA)

 

PREREQUISITES

Adaptive Security Appliance (ASA) or Next Generation Firewall (NGFW)

  • The IP Address for the ASA
  • Credentials to access the privileged mode for the ASA
  • Secure Shell (SSH) access configured on the ASA

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Cisco ASA using a tool like PuTTY.

 

2

Get to privileged mode on the Cisco ASA and enter the password.

Cisco_ASA> enable

Password: ************

 

3

Execute a configuration command from the terminal to get into global configuration mode.

Cisco_ASA# config t

 

4

To log system messages and debug output to the Clone Systems Log Management device, use the logging host command in global configuration mode.

Cisco_ASA (config)# logging host {log collector local interface on ASA} { IP Address of Clone Systems Log collector }

EXAMPLE:   Cisco_ASA(config)# logging host inside 10.1.1.1

 

5

Exit global configuration mode.

Cisco_ASA (config)# exit

 

6

Save the configuration changes to NVRAM.

Cisco_ASA# copy run start

 

7

Log off the Cisco ASA.

Cisco_ASA# exit



Go to the Top

Fortinet FortiGate

 

PREREQUISITES

FortiGate Next Generation (NGFW) Firewall UTM Appliance

  • The IP Address for the FortiGate appliance
  • Credentials to access the FortiGate appliance
  • Secure Shell (SSH) access configured on the FortiGate appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Fortinet FortiGate using a tool like PuTTY.

 

2

Configure the FortiGate unit to send logs to a remote computer running a syslog server.

FortiGate # config log syslogd setting

 

3

Set the IP address of the Clone Systems Log Management device.

FortiGate (setting) # set server { IP Address of Clone Systems Log collector }

EXAMPLE: Fortigate (setting) # set server 10.1.1.1

 

4

Set the source IP address for the Fortinet FortiGate.

FortiGate (setting) # set source-ip {internal IP of Fortigate}

Note: This is the source IP that will be displayed in the logs.

 

5

Enable logging to the Clone Systems Log Management device.

FortiGate (setting) # set status enable

 

6

Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt.

FortiGate (setting) # next

 

7

Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.

FortiGate (setting) # end



Go to the Top

Fortinet FortiAnalyzer

 

PREREQUISITES

FortiAnalyzer Network Security Logging, Analysis, and Reporting Appliance

  • The IP Address for the FortiAnalyzer appliance
  • Credentials to access the FortiAnalyzer appliance
  • Secure Shell (SSH) access configured on the FortiAnalyzer appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Fortinet FortiAnalyzer using a tool like PuTTY.

 

2

Configure the FortiAnalyzer unit to send logs to a remote computer running a syslog server.

FortiAnalyzer # config system syslog

 

3

Set the name of the Clone Systems Log Management device.

FortiAnalyzer (syslog) # edit “syslog”

 

4

Set the IP address of the Clone Systems Log Management device.

FortiAnalyzer (syslog) # set ip “{ IP Address of Clone Systems Log collector }”

EXAMPLE: FortiAnalyzer (syslog) # set ip “10.1.1.1”

 

5

Enter the port number for the syslog messages.

FortiAnalyzer (syslog) # set port 514

 

5

Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt.

FortiAnalyzer (syslog) # next

 

7

Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.

FortiAnalyzer (syslog) # end



Go to the Top

Juniper Junos Pulse

 

PREREQUISITES

Junos Pulse SSL VPN Appliance

  • The IP Address for the Junos appliance
  • Credentials to access the Junos appliance
  • Secure Shell (SSH) access configured on the Junos appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Juniper Junos Pulse using a tool like PuTTY.

 

2

Enter configuration mode.

Juniper > config

 

3

Configure log messages to be sent to the Clone Systems Log Management device.

Juniper # set system syslog host { IP Address of Clone Systems Log collector } any error

EXAMPLE: Juniper # set system syslog host 10.1.1.1 any error

 

4

Specify a filename to capture log messages.

Juniper # set system syslog file qflogs any error

 

5

Commit the set of changes to the database and cause the changes to take operational effect.

Juniper # commit

 

6

Exit from configuration mode.

Juniper # exit



Go to the Top

Juniper Netscreen Firewall Appliance

 

PREREQUISITES

Juniper Netscreen Firewall Appliance

  • The IP Address for the Juniper Netscreen appliance
  • Credentials to access the Juniper Netscreen appliance
  • Secure Shell (SSH) access configured on the Juniper Netscreen appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Juniper Netscreen appliance using a tool like PuTTY.

 

2

Enter the credentials and log into the Netscreen appliance.

 

3

Set the IP Address for the syslog host.

Netscreen> set syslog config { IP Address of Clone Systems Log collector }

EXAMPLE: Netscreen> set syslog config 10.1.1.1

 

4

Set the facilities setting which classifies and sends messages for events to the syslog host.

Netscreen> set syslog config { IP Address of Clone Systems Log collector } facilities local0 local0

EXAMPLE: Netscreen> set syslog config 10.1.1.1 facilities local0 local0

 

5

Set the default port 514 to which the Netscreen appliance sends syslog messages.

Netscreen> set syslog config { IP Address of Clone Systems Log collector } port 514

EXAMPLE: Netscreen> set syslog config 10.1.1.1 port 514

 

6

Send all event log entries to the syslog host.

Netscreen> set syslog config { IP Address of Clone Systems Log collector } log all

EXAMPLE: Netscreen> set syslog config 10.1.1.1 log all

 

7

Enable the syslog appliance.

Netscreen> set syslog enable

 

8

Log off the Juniper Netscreen Appliance by typing exit and then clicking Enter.



Go to the Top

Palo Alto Appliance

 

PREREQUISITES

Palo Alto Appliance

  • The IP Address for the Palo Alto appliance
  • A web browser for accessing the Palo Alto appliances web interface
  • Credentials to access the Palo Alto appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a web browser and enter the IP address for the Palo Alto appliance to bring up the web interface.

 

2

Enter the credentials and log into the Palo Alto appliance.

 

3

Create a syslog server profile for the Clone Systems Log Management device by navigating to Device > Server Profiles > Syslog

Enter a name for the Syslog profile and on the Servers tab enter the information for the Clone Systems Log Management device.

  • Name: { Name of the Clone Systems Log Management device }
  • Server : { IP address of the Clone Systems Log Management device }
  • Port: Default port 514
  • Facility: To be elected from the drop down according to the requirements

Click the Ok button.

 

4

Configure the log-forwarding profile to select the traffic and threat logs to be forwarded to Clone Systems Log Management device.

Navigate to Objects > Log forwarding then select the syslog server profile for forwarding traffic and threat logs to the Clone Systems Log Management device.

Click the Ok button.

 

5

Use the log forwarding profile in the security rules.

Navigate to Policies > Security Rule.

Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.

Go to Actions > Log forwarding and select the log forwarding profile from drop down list.

Click the Ok button.

 

6

Commit the changes by clicking Commit at the top of the web interface.



Go to the Top

Linux Server

 

PREREQUISITES

Linux Server

  • Credentials to access the Linux Server
  • Secure Shell (SSH) access configured on the Linux Server

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Linux Server using a tool like PuTTY.

 

2

Open the rsyslog configuration file.

vi /etc/rsyslog.conf

 

3

Go to the end of the file and add the following lines to configure log messages to be sent to the Clone Systems Log Management device.

 

#(udp)

*.* @{ IP Address of Clone Systems Log collector }:514

#[tcp}

*.* @@{ IP Address of Clone Systems Log collector }:514

EXAMPLE:

#(udp)

*.* @10.1.1.1:514

#[tcp}

*.* @@10.1.1.1:514

 

4

Save the rsyslog configuration file.

 

5

Restart the rsyslog service.

service rsyslog restart

 

6

Restart the Linux server

reboot -f



Go to the Top

Microsoft Windows Server

 

PREREQUISITES

Microsoft Windows Server

  • A syslog agent (Ex: Snare)
  • Credentials to access the Windows Server

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

An additional third party agent is required to configure your Microsoft Windows Server to send syslog.

If you currently have a syslog agent configured you can skip to step 18.

Otherwise, please follow the instructions for obtaining and configuring the SNARE Open Source Agents for Windows.

Navigate a browser to: http://sourceforge.net/projects/snare/files/Snare%20for%20Windows/

Note: If you require compliance with PCI 3.0, you will need to purchase the SNARE Enterprise Agent which can be obtained via the following link:

http://www.snarealliance.com/snare-enterprise-agents/

 

2

Click the Download button and then save the executable to your server.

 

3

Once the file has successfully downloaded, navigate to the downloaded file by clicking the View Downloads button.

 

4

Locate the Snare For Windows executable and click the Run button.

 

5

On the Welcome to Snare Setup Wizard, click the Next button.

 

6

On the License Agreement window, select the I accept the agreement radio button and then click the Next button.

 

7

On the Snare Auditing windows, select the Yes radio button and then click the Next button.

 

8

On the Service Account window, select the Use System Account radio button and then click the Next button.

 

9

On the Remote Control Interface window, check the Enable Web Access checkbox, enter a password that you will use to access Snare and then check the Local access only? checkbox. then click the Next button.

 

10

On the Snare Enterprise Version Agents Available window click the Next button.

 

11

On the Select Destination Location windows, leave the default folder of C:\Program Files\Snare and then click the Next button.

 

12

On the Select Start Menu Folder window, leave the default folder of InterSect Alliance and then click the Next button.

 

13

On the Ready to Install window, click the Install button.

 

14

The Install will begin. On the Information window, click the Next button.

 

15

On the Completing the Snare Setup Wizard click the Finish button.

 

16

The Readme file will open, review the contents and then close the window and the close your web browser.

 

17

Navigate to the Snare for Windows (Open Source) application and click on it or open your browser and navigate to http://localhost:6161/

Note: If you configured a password, you will be required to enter the password to access Snare.

 

18

Select Network Configuration from the left hand navigation.

 

19

Configure log messages to be sent to the Clone Systems Log Management device.

Enter the following:

  • On the Destination Snare Server address field enter the IP address of the Clone Systems Log Collector.
  • On the Destination Port field enter port 514.
  • Click the Enable SYSLOG Header? checkbox.

Click the Change Configuration button to save the changes.

 

20

A screen will appear indicating that the Values have been changed.

 

21

Close the Snare window and confirm that the log messages are being sent to the Clone Systems Log Management device.



Go to the Top

Symantec Endpoint Protection Manager

 

PREREQUISITES

Symantec Endpoint Protection Manager (SEPM) v12

  • The IP Address for the Symantec Endpoint Protection Manager
  • Credentials to access Symantec Endpoint Protection

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Log onto the server that Symantec Endpoint Protection Manager (SEPM) is installed on. Launch SEPM and enter your Username and Password. And then click the Log On button.

 

2

Click Admin from the toolbar on the left.

 

3

Click Servers

 

4

Click the local site or remote site that you want to export log data from

 

5

Click Configure External Logging

 

6

On the General tab, in the Update Frequency list box, select how often to send the log data to the file

 

7

In the Master Logging Server list box, select the management server to send the logs to.

If you use SQL Server and connect multiple management servers to the database, specify only one server as the Master Logging Server

 

8

Check Enable Transmission of Logs to a Syslog Server

 

9

Provide the following information:

Syslog Server

Type the IP Address of Clone Systems Log collector

Destination Port

Select the TCP protocol to use, and type the destination port that the Syslog server uses to listen for Syslog messages.

Log Facility

Leave this setting alone

 

10

On the Log Filter tab, check which logs to export

 

11

Click OK and confirm that the log messages are being sent to the Clone Systems Log Management device.