Professional Documents
Culture Documents
WI Windows Remote Log & Security Device Syslog Configuration
WI Windows Remote Log & Security Device Syslog Configuration
3. Create a new domain level GPO and link it to all the audited computers
Click on the "Log Collector Permission GPO" → Navigate to the right panel, click on the
Delegation tab → Advanced → Click on Authenticated Users → Remove the Apply group
policy permission.
iv.Add the "Log Collector Permission Group" to the security filter settings of the "Log
Collector Permission GPO":
Open the Group Policy Management Console → Domain → Select the "Log Collector
Permission GPO" → Navigate to the right panel, click on the Delegation tab → Advanced →
Add "Log Collector Permission Group".
1. Grant the user the Manage auditing and security log right
The Manage auditing and security log right allows the user to define object level auditing.
i.Log in to your Domain Controller with Domain Admin privileges→ Open the Group
Policy Management Console → Right click on the "Log Collector Permission GPO" → Edit.
ii.In the Group Policy Management Editor → Computer Configuration → Policies → Windows
Settings → Security Settings → Local Policies → User Rights Assignment.
iii.Navigate to the right panel, right click on Manage auditing and security log → Properties
→Add the "Log Collector" user.
CO NF ID E NT I AL
Members of the event log readers group will be able to read the event logs of all the audited
computers.
a. Log in to your Domain Controller with Domain Admin privileges→ Open the Group
Policy Management Console → Right click on the "Log Collector Permission GPO" → Edit.
b. In the Group Policy Management Editor → Computer Configuration →Preferences →
Control Panel Settings → Right click on Local Users and Groups → New → Local Group →
Select Event Log Readers group under group name → Add the "Log Collector" user.
CO NF ID E NT I AL
Fortigate Firewall
https://help.fortinet.com/fadc/4-5-1/olh/Content/FortiADC/handbook/log_remote.htm
1. Log in to the Fortinet console, and go to Log & Report > Log Config > Log Settings.
2. Select Send Logs to Syslog and specify the <ip address of log collector>.
3. In Event Logging, select all the event types you want to capture.
4. Click Apply.
CO NF ID E NT I AL
Checkpoint Firewall
To configure Check Point Firewall-1 to send data to Log Collector
cp /etc/syslog.conf /etc/syslog.conf_ORIGINAL
Where:
& = run command in the background. If & is not included, the operating system stops before loading
the syslogd service. No login prompt then appears at the console.
fw log --help
5. Save the configuration edits and close the file.
6. Restart the machine.
CO NF ID E NT I AL
Important: Restarting the Check Point services with the cpstop;cpstart commands does not
suffice. Only a restart achieves the desired result.
F5 Networks
https://support.f5.com/csp/article/K13080
Note: For BIG-IP systems in a high availability (HA) configuration, the non-floating self IP
address is recommended if using a Traffic Management Microkernel (TMM) based IP
address.
6. Select Add.
7. Select Update.
8. For BIG-IP systems in a high availability (HA) configuration, perform a ConfigSync to
synchronize the changes to the other devices in the device group.
Cisco Ironport
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa7-1/cli_guide/ESA_7-
1_FCS_CLI_Reference_Guide.pdf
The following example shows how to use the logconfig command to configure a new delivery log
called MailLogSyslogPush. with the IP address of <ip log collector>.
logconfig
Log level:
1. Critical
2. Warning
3. Information
CO NF ID E NT I AL
4. Debug
5. Trace
[3]> 2
Imperva
https://www.imperva.com/docs/SB_Imperva_SecureSphere_CEF_guide.pdf
To configure Imperva SecureSphere to send syslog messages, based on the CEF standard, whenever a new
event occurs:
2. Edit the security policies and modify the Followed Actions for those that you want to send to Syslog
when a violation occurs. Use the action set defined for security events in step 1.
CO NF ID E NT I AL
When a security violation occurs, Imperva SecureSphere will generate an alert and send a Syslog message
to Log Collector.
Bluecoat
https://knowledge.broadcom.com/external/article/166081/enable-syslog-on-the-proxysgasg.html
Issue/Introduction:
You would like to know the steps needed to enable Syslog on the ProxySG/ASG.
Resolution:
Syslog is an event-monitoring scheme that is especially popular in Unix environments. Sites that use
Syslog typically have a log host node, which acts as a sink for several devices on the network. You must
have a Syslog daemon operating in your network to use Syslog monitoring. The Syslog format is: Date
Time Hostname Event.
1. Select the Maintenance tab > Event Logging > Syslog tab
2. Click on the New button. Enter the domain name or IP address of your <log collector> in the
Loghost field and click on the OK button.
3. Check the Enable Syslog check box and click Apply
CO NF ID E NT I AL
To enable Syslog Monitoring from the CLI, use the following commands:
SGOS>
SGOS>enable
Enablepassword:
SGOS#config t
SGOS#(config)event-log
SGOS#(config event-log)syslog loghost loghost
SGOS#(config event-log)syslog enable
Symantec
https://knowledge.broadcom.com/external/article?legacyId=TECH171741
Before you configure the Symantec EPM integration, you must have the IP Address of the Log
Collector
To configure Symantec EPM to send log data to the <ip log collector>
1. In the console, click Admin.
2. Click Servers.
3. Click the local site or remote site that you want to export log data from.
4. Click Configure External Logging.
5. On the General2 tab, in the Update Frequency list box, select how often to send the log data to the
file.
6. In the Master Logging Server list box, select the management server to send the logs to.
Note: If you use SQL Server and connect multiple management servers to the database,
specify only one server as the Master Logging Server.
7. Check Enable Transmission of Logs to a Syslog Server.
c. Log Facility: Enter the number of the log facility that you want to the syslog
configuration file to use, or use the default.
9. Click OK.
CO NF ID E NT I AL
Page | 1