Configuration of Selective Syslog Streaming by means of Logdata Filters

Solution 00005304

Scope:

This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.6 and above

Symptoms:
This article describes how to configure selective syslog streaming on NG Firewall. Selective syslog streaming means, that a NG Firewall gateway only streams a selective assortment of logfiles to a control center or a dedicated syslog server.

Prerequisites

To be able to configure Selective Syslog Streaming, a configured Logstream Destination is needed. This can either be a control center or a dedicated 3rd party syslog server.

Solution:
The configuration of selective syslog streaming takes place in "Infrastructure Services" > "Syslog Streaming" > "Logdata Filters"

Step 1: Click "Insert" to create a New Filter

Step 2: Within the "Filters:<Your_Filter_Name>" configuration window, three types of Logdata are configurable:
- Top Level Logdata
- Affected Box Logdata
- Affected Service Logdata

Step 3: Except for "Top Level Logdata", for every type of logdata the "Data Selector" must be set to:
- Selection

Step 4: Click "Insert" to create a new "Data Selection"

Step 5: The drop-down menu "Log Groups" provides variety of pre-defined selections

Variant: User Defined Selective syslog Streaming:

For a more granulated selection, select "Other" and enter a string up to sample:

<modulname>_<logfile>
Example (for Affected Service Logdata):
virscan_cas
firewall_auth
firewall_Rule*

This selection would stream:
              srv_<virscan-servername>_<virscan-servicename>_cas.log
              srv_<firewall-servername>_<firewall-servicename>_auth.log
              srv_<firewall-servername>_<firewall-servicename>_Rule*.log

This selection would not stream:
              srv_<virscan-servername>_<virscan-servicename>.log
              srv_<virscan-servername>_<virscan-servicename>_clamav.log
              srv_<firewall-servername>_<firewall-servicename>.log

List of available box-module names (single box, managed box, control center box and reporter box):
Auth: Auth
Config: Config
Control: Control
Event: Event
Firewall: Firewall
Logs: Logs
Network: Network
Release: Release
Settings: Settings
SSH: SSH
Statistics: Statistics
System: System
Watchdog: Watchdog

List of available control center managed box modules (managed box):
AV-Scanner: virscan
DHCP-Enterprise-Server: dhcpe
DHCP-Relay: dhcprelay
DNS: dns
Firewall: firewall
FW-Audit-Service: fwaudit
C-Firewall: cfirewall
FTP-Gateway: ftpgw
HTTP-Proxy: proxy
HTTP/HTTPS-Proxy: sslprx
Mail-Gateway: mailgw
OSPFv2-Router: ospf
Policy-Service: policyserver
Secure-Web-Proxy: sslprx
SPAM-Filter: spamfilter
SNMP-Service: snmp
SSH-Proxy: sshprx
ISS-ProventiaWebFilter: cofs
VPN-Server: vpnserver

List of available single box module names (single box):
AV-Scanner: virscan
DHCP-Enterprise-Server: dhcpe
DHCP-Relay: dhcprelay
DNS: dns
Firewall: firewall
FTP-Gateway: ftpgw
HTTP-Proxy: proxy
HTTP/HTTPS-Proxy: sslprx
ISS-ProventiaWebFilter: cofs
Mail-Gateway: mailgw
OSPFv2-Router: ospf
Policy-Service: policyserver
Secure-Web-Proxy: sslprx
SNMP-Service: snmp
SPAM-Filter: spamfilter
SSH-Proxy: sshprx
VPN-Server: vpnserver

List of available control center-module names (control center box):
DNS: dns
Firewall: firewall
MC-Audit: fwaudit
MC-Conf: rangeconf
MC-Event: mevent
MC-Log: msyslog
MC-PKI: pki
MC-Entegra: mpolicyserver
MC-Reporter: rsdstats
MC-StatView: qstatm
MC-StatCollect: dstatm
MC-VPN: mastervpn

List of available Reporter module names (reporter box):
Reporter DB: reporter

Link to This Page:
https://campus.barracuda.com/solution/50160000000IKbZAAW