How to Configure the CC Syslog Service

(Only available in Advanced View mode) This parameter defines the username that will be used when synchronising the log with the HA partner system. By default, this parameter is set to system user msyslog. By ticking the checkbox Other (to the right), you may enter any other name.

This certificate is required for SSL connections, regardless whether they are passive or active ones. Via button Show … the certificate is displayed, and via button Edit … the certificate may be modified. Again, to the right, the hash mark is displayed.

If set to yes (default) the service will listen for incoming SSL connections on configured IPs and defined SSL Listen Port (port 5143; Trusted Data Reception view).

This parameter enables the optional transfer of log messages to external loghosts (default: no).

Via this parameter you define what kind of sockets are available for incoming log messages. Available options are UDP&TCP (opens an UDP and a TCP socket; default), UDP (opens an UDP socket only) and TCP (opens a TCP socket only).

This parameter is only available as long as the parameter Supported Protocols contains an UDP option and defines the port that is to be used for receiving log messages (default: 5144).

This parameter is only available as long as the parameter Supported Protocols contains a TCP option and defines the port that is to be used for receiving log messages (default: 5144).

Via this menu the to-be-used service certificate is selected (default: Use_MC_SSL_Cert; that means the SSL certificate of the Barracuda Firewall Control Center will be used for authentication. When using option Use_MC_SSL_Cert it is highly recommended to use verify_peer_certificate as type of Client Authentication.

(Only available in Advanced View mode) Take into consideration that this parameter is only available if parameter Store on Disk is set to yes. Each log message has a send-time stamp when it is written to disk:

• send_stamp log_message: yes – send_stamp is rewritten using local CC receive time.
• send_stamp log_message: no (default) – send_stamp is not modified.

(Only available in Advanced View mode) This parameter is only available if parameter Store on Disk is set to yes. Each log message gets its own time stamp(s) when it is written to disk (receive_time_stamp showing CC receiving time; send_stamp showing Box sending time):

• receive_time_stamp send_stamp log_message when set to yes (default).
• send_stamp log_message when set to no. 

Via this parameter you define for how long the log files are kept on the local system. The following periods are available:

• day – log file name: <logmesssage>.$HOUR.log; after 23 h the log files created by syslog are overwritten.
• week (default) – log file name: <logmesssage>.$WEEKDAY.$HOUR.log; after one week the log files (that is mon, tue, wed, …) created by syslog are overwritten. After one week the log files are overwritten

• no-limit – log file name: <logmesssage>.log;

  This setting is very specific and, therefore, should be used by experts only (contacting Barracuda Networks Technical Support is highly recommended).

Here the SSH key management is provided. By clicking New Key you may create a new key for the SSH connection. Alternatively, you may import already existing keys (either from clipboard or file) or export the newly generated key (either to clipboard or file, password protected or not, or the public key only). These import/export options are available within the menu Ex/Import. For informational purpose the key’s hash is displayed to the right of this line.

Here the SSH host key management is provided. By clicking New Key you may create a new SSH key. Alternatively, you may import already existing keys (either from clipboard or file) or export the newly generated key (either to clipboard or file, password protected or not, or the public key only). These import/export options are available within the Ex/Import menu. For informational purpose the key’s hash is displayed to the right of this line.

Here you may activate/deactivate data compression (standard gzip quality) for the SSH connection (default: yes).

This parameter is only available if parameter Store on Disk (see section Basic Setup) is set to yes. This parameter defines the number of log messages after which synchronization is started. The default value of 0 indicates nothing else than immediate synchronization as soon as a log message is received.

Here the time interval (in seconds) is defined at which a TCP retry should be carried out if the connection breaks.

This parameter defines whether authentication takes place when establishing the SSL connection. The following options are available:

• no_peer_verification (default)
• verify_peer_with_locally_installed_certificate – Selecting this option requires manual import of a valid SSL certificate from the active connecting system to the active destination system.

This timeout defines for how long (in seconds) a SSL connection may be in busy condition until it is terminated (default: 300).

This timeout defines for how long (in seconds) a SSL connection may be in close condition until it is terminated (default: 60).

This timeout defines for how long (in seconds) a SSL connection may be in idle condition until it is terminated (default: 43200).

This parameter specifies whether additional information (for example box, cluster, range) is transmitted with the log entries (default: yes). Setting this parameter to yes activates and requires parameter group Originator Systems (see below).

Take into consideration that this parameter group is only available if parameter Filter Box Affiliation is set to yes. The configuration dialog for a new and/or existing entry provides the following parameters:

• Hierarchy Structure – This parameter defines the structure of the log entry.

The following structure levels are available for selection:

• Box-Only  – Adds only the box name to the log message.
• Range-Only  – Adds only the range number to the log message.
• Range-Cluster  – Adds both, range number and cluster name to the log message.
• Range-Cluster-Box (def)  – Adds the complete structure to the log message.
• Ranges  – This parameter is only available if parameter Originator Systems is set to a value that contains range structure (that means all except for Box-Only) and allows selecting specific ranges.
• Clusters  – This parameter is only available if parameter Originator Systems is set to a value that contains cluster structure and allows selecting specific clusters.
• Boxes  – This parameter is only available if parameter Originator Systems is set to a value that contains box structure and allows selecting specific boxes.

Due to the structure of a streamed log message (<range>/<cluster>/<box>/<filename>:<message>), it is possible to restrict log streaming to message containing a certain pattern in their filenames (for example pattern fw when having a filename like server1_fw) by using this parameter.

The log files offered for selection here are superordinate log files build up of several instances of box and service levels. The following data can be selected:

• Fatal_log: These are the log contents of the fatal log (log instance name: fatal).

• Firewall_Audit_Log: These are the log contents of the firewall's machine readable audit data stream. Whether data is streamed into the Firewall_Audit_Log has to be configured in the Firewall Parameter Settings on box-level (see SECTION AUDIT INFO GENERATION > Audit-Delivery: Syslog-Proxy). The log instance name corresponding to Syslog-Proxy selected will be trans7.

  When Log-File is selected in the firewall configuration the data will go into a log file named (Box > Firewall > audit, the instance is named box_Firewall_audit) and thus this filter setting is not applicable. The pertinent one then would be a selection of category Firewall within the box selection portion of the filter.

This parameter defines what kind of box logs are to be affected by the syslog daemon. The following options are available:

• All (any kind of box log is affected)
• None (default; none is affected)
• Selection (activates parameter group Box Log Patterns, see below)

Take into consideration that this parameter group is only available if parameter Affected Box Logfiles is set to Selection. The following parameters are available for configuration:

• Log Groups  – This menu offers every log group for selection that is available on a Barracuda CloudGen Firewall (for example Control, Event, Firewall, …).
• Log Message Filter  – This parameter is used for defining the affected log types:
  Selection (activates parameter Selected Message Types, see below),
  All (default), All-but-Internal, Notice-and-Higher, Warning-and-Higher, Error-and-Higher. As you can see the available options are "group selections". If one explicit log type is required, choose Selection and set your wanted type in parameter Selected Message Types, see below.
• Selected Message Types  – This parameter allows you to set explicit log types to be affected by syslogging. The types available are: Panic, Security, Fatal, Error, Warning, Notice, Info, Internal.

This parameter defines what kind of logs created by services are to be affected by the syslog daemon. The following options are available:

• All (any kind of service log is affected)
• None (default; none is affected)
• Selection (activates parameter group Service Log Patterns, see below)

Take into consideration that this parameter group is only available if parameter Affected Service Logfiles is set to Selection.

• Log Server-Services  – Here you define server and service where log messages are streamed from.
• Log Message Filter –  This parameter is used for defining the affected log types:
  • Selection (activates parameter Selected Message Types, see below)
  • All (default)
  • All-but-Internal
  • Notice-and-Higher
  • Warning-and-Higher
  • Error-and-Higher
• Selected Message Types  – This parameter allows you to set explicit log types to be affected by syslogging. The types available are: Panic, Security, Fatal, Error, Warning, Notice, Info, Internal.

This menu provides different types for the destination connection:

• Active SSL connect by destination  – if an external system requests logs actively via SSL.
• Stream SSL to passive destination  – for std. secure streaming from CC box to external system via SSL
• Stream plaintext to passive destination  – for streaming without SSL connection (standard syslog stream)

(Only available in Advanced View mode) This menu defines the port that will be used for establishing the SSL connection between CC box and external system. The available standard port range reaches from 5244 (default) up to 5253. If required, you may enter a custom port by simply ticking the checkbox Other.

This parameter is only available when Stream plaintext to passive destination is selected as Connection Type. It allows you to enter the explicit IP address of the log host.

This parameter is only available when Stream plaintext to passive destination is selected as Connection Type. It holds the port that will be used on the log host when connecting.

This parameter is only available when Stream plaintext to passive destination is selected as Connection Type. It allows you to choose the transmission protocol (TCP (default) or UDP). When selecting a SSL-capable destination type this parameter is implicitly set to TCP.

This certificate is used when Stream SSL to passive destination is selected as Connection Type. It holds the SSL certificate of the destination server. This line consists of two buttons: Show for displaying the current SSL certificate, and Ex/Import for certificate transfer purpose.

This parameter is only available when Stream plaintext to passive destination is selected as Connection Type. It is used for entering the IP address of the external system the outgoing SSL tunnel should connect to.

This parameter is only available when Stream plaintext to passive destination is selected as Connection Type. It is used for entering the port on the external system the outgoing SSL tunnel should connect to.

This parameter is only available when Stream plaintext to passive destination is selected as Connection Type and defines the to-be-used port for the loopback interface. The available standard port range spans the ports 5244 (default) up to 5253. If required, you may enter a custom port by simply ticking the checkbox Other.

(Only available in Advanced View mode) Depending on your policy routing you may need an explicit sender IP address for streaming log files. If so, this address ought to be entered here.

The default setting no removes the structural information from streamed messages. When set to yes the structure information as originally sent to the CC Syslog is preserved. In other words: <range>/<cluster>/<box>/<filename>:<message> becomes <filename>:<message>.