Managed

Security Operation Center

Windows Remote Log & Security

Device Syslog Configuration
 CO NF ID E NT I AL

Windows Remote Log & Security Device

Syslog Configuration

Requirement port for windows remote log

Windows Remote Log

New user, group, and GPO creation
1. Create a new user
i.Log in to your Domain Controller with Domain Admin privileges → Open Active
Directory Users and Computers → Right click on your domain → New → User → Name the
user as "Log Collector".

2. Create a new group

i.Log in to your Domain Controller with Domain Admin privileges → Open Active
Directory Users and Computers → Right click on your domain → New → Group → Name the
group as "Log Collector Permission Group".
ii.Add all the audited computers as members of the "Log Collector Permission
Group":Right click on the "Log Collector Permission Group" → Properties → Members →
Add all the Domain Controllers, Windows servers and workstations that you wish to audit.

3. Create a new domain level GPO and link it to all the audited computers

Since configuring permissions on individual computers is an elaborate process, a domain

level GPO is created and applied on all monitored computers.

i.Log in to your Domain Controller with Domain Admin privileges.

ii.Create a new domain level GPO:
Open the Group Policy Management Console → Right click on your domain → Create a GPO
in this domain and link it here → Name the GPO as"Log Collector Permission GPO"
iii.Remove Apply group policy permission for Authenticated Users group:
 CO NF ID E NT I AL

Click on the "Log Collector Permission GPO" → Navigate to the right panel, click on the
Delegation tab → Advanced → Click on Authenticated Users → Remove the Apply group
policy permission.

iv.Add the "Log Collector Permission Group" to the security filter settings of the "Log
Collector Permission GPO":

Open the Group Policy Management Console → Domain → Select the "Log Collector
Permission GPO" → Navigate to the right panel, click on the Delegation tab → Advanced →
Add "Log Collector Permission Group".

Privileges/permissions required for event log collection

1. Grant the user the Manage auditing and security log right

The Manage auditing and security log right allows the user to define object level auditing.

i.Log in to your Domain Controller with Domain Admin privileges→ Open the Group
Policy Management Console → Right click on the "Log Collector Permission GPO" → Edit.
ii.In the Group Policy Management Editor → Computer Configuration → Policies → Windows
Settings → Security Settings → Local Policies → User Rights Assignment.
iii.Navigate to the right panel, right click on Manage auditing and security log → Properties
→Add the "Log Collector" user.
 CO NF ID E NT I AL

2. Make the user a member of the Event Log Readers group

Members of the event log readers group will be able to read the event logs of all the audited
computers.

• For Domain Controllers :

Log in to your Domain Controller with Domain Admin privileges → Open Active
Directory Users and Computers → Builtin Container → Navigate to the right panel, right click
on Event Log Readers → Properties → Members →Add the "Log Collector" user.

• For other computers (Windows servers and workstations):

 CO NF ID E NT I AL

a. Log in to your Domain Controller with Domain Admin privileges→ Open the Group
Policy Management Console → Right click on the "Log Collector Permission GPO" → Edit.
b. In the Group Policy Management Editor → Computer Configuration →Preferences →
Control Panel Settings → Right click on Local Users and Groups → New → Local Group →
Select Event Log Readers group under group name → Add the "Log Collector" user.
 CO NF ID E NT I AL

Requirement port for Syslog Security Device

Fortigate Firewall
https://help.fortinet.com/fadc/4-5-1/olh/Content/FortiADC/handbook/log_remote.htm

1. Log in to the Fortinet console, and go to Log & Report > Log Config > Log Settings.
2. Select Send Logs to Syslog and specify the <ip address of log collector>.

3. In Event Logging, select all the event types you want to capture.

4. Click Apply.
 CO NF ID E NT I AL

Checkpoint Firewall
To configure Check Point Firewall-1 to send data to Log Collector

1. On the Check Point appliance, back up the current /etc/syslog.conf script:

cp /etc/syslog.conf /etc/syslog.conf_ORIGINAL

2. Edit the current /etc/syslog.conf script by adding the following line:

local4.info @<IP address of Log Collector>

Note: Press TAB after local4.info.

3. Save your configuration edits and close the file.

4. Back up the /etc/rc.d/init.d/cpboot script, and edit the current version

of /etc/rc.d/init.d/cpboot by adding the following line at the bottom of the script:

fw log -f -t -n -l 2> /dev/null | awk 'NF' | logger –p local4.info -t

CP_FireWall &

Where:

& = run command in the background. If & is not included, the operating system stops before loading
the syslogd service. No login prompt then appears at the console.

For help on available flags, enter:

fw log --help
5. Save the configuration edits and close the file.
6. Restart the machine.
 CO NF ID E NT I AL

Important: Restarting the Check Point services with the cpstop;cpstart commands does not
suffice. Only a restart achieves the desired result.

F5 Networks
https://support.f5.com/csp/article/K13080

Adding a remote syslog server using the Configuration utility

Impact of procedure: Performing the following procedure should not have a negative impact on
your system.
Note: Adding remote syslog servers using the Configuration utility is available in BIG-IP 11.1.0
and later.

1. Log in to the Configuration utility.

2. Go to System > Logs > Configuration > Remote Logging.
3. For Remote IP, enter the destination syslog server IP address.
4. For Remote Port, enter the remote syslog server UDP port (default is 514).
5. (Optional) For Local IP, enter the local IP address of the BIG-IP system.

Note: For BIG-IP systems in a high availability (HA) configuration, the non-floating self IP
address is recommended if using a Traffic Management Microkernel (TMM) based IP
address.

6. Select Add.
7. Select Update.
8. For BIG-IP systems in a high availability (HA) configuration, perform a ConfigSync to
synchronize the changes to the other devices in the device group.

Cisco Ironport
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa7-1/cli_guide/ESA_7-

1_FCS_CLI_Reference_Guide.pdf
The following example shows how to use the logconfig command to configure a new delivery log
called MailLogSyslogPush. with the IP address of <ip log collector>.

To create an SCP push delivery log

1. From the mail3.example.com prompt, enter:

logconfig

Currently configured logs:

1. "antispam" Type: "Anti-Spam Logs" Retrieval: FTP Poll
2. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll
3. "asarchive" Type: "Anti-Spam Archive" Retrieval: FTP Poll
4. "authentication" Type: "Authentication Logs" Retrieval: FTP Poll
5. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll
6. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll
7. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll
8. "encryption" Type: "Encryption Logs" Retrieval: FTP Poll
9. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
10. "euq_logs" Type: "IronPort Spam Quarantine Logs" Retrieval: FTP Poll
 CO NF ID E NT I AL

11. "euqgui_logs" Type: "IronPort Spam Quarantine GUI Logs" Retrieval:

FTP
Poll
12. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll
13. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll
14. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
15. "reportd_logs" Type: "Reporting Logs" Retrieval: FTP Poll
16. "reportqueryd_logs" Type: "Reporting Query Logs" Retrieval: FTP Poll
17. "scanning" Type: "Scanning Logs" Retrieval: FTP Poll
18. "slbld_logs" Type: "Safe/Block Lists Logs" Retrieval: FTP Poll
19. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll
20. "status" Type: "Status Logs" Retrieval: FTP Poll
21. "system_logs" Type: "System Logs" Retrieval: FTP Poll
22. "trackerd_logs" Type: "Tracking Logs" Retrieval: FTP Poll
23. "updater_logs" Type: "Updater Logs" Retrieval: FTP Poll
Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- SETUP - General2 settings.
- LOGHEADERS - Configure headers to log.
- HOSTKEYCONFIG - Configure SSH host keys.
[]> new

Choose the log file type for this subscription:

1. IronPort Text Mail Logs
2. qmail Format Mail Logs
3. Delivery Logs
4. Bounce Logs
5. Status Logs
6. Domain Debug Logs
7. Injection Debug Logs
8. SMTP Conversation Logs
9. System Logs
10. CLI Audit Logs
11. FTP Server Logs
12. HTTP Logs
13. NTP logs
14. LDAP Debug Logs
15. Anti-Spam Logs
16. Anti-Spam Archive
17. Anti-Virus Logs
18. Anti-Virus Archive
19. Scanning Logs
20. IronPort Spam Quarantine Logs
21. IronPort Spam Quarantine GUI Logs
22. Reporting Logs
23. Reporting Query Logs
24. Updater Logs
25. Tracking Logs
26. Safe/Block Lists Logs
27. Authentication Logs
[1]> 1

Please enter the name for the log:

[]> MailLogSyslogPush

Log level:
1. Critical
2. Warning
3. Information
 CO NF ID E NT I AL

4. Debug
5. Trace
[3]> 2

Choose the method to retrieve the logs.

FTP Poll
2. FTP Push
3. SCP Push
4. Syslog Push
[1]>
4
Hostname to deliver the logs:
[]> <ip log collector>

Which protocol do you want to use to transfer the log data?

1. UDP
2. TCP
[1]> 1

Which facility do you want the log data to be sent as?

1. auth
2. authpriv
3. console
4. daemon
5. ftp
6. local0
7. local1
8. local2
9. local3
10. local4
11. local5
12. local6
13. local7
14. mail
15. ntp
16. security
17. user
[14]> 14

Currently configured logs:

1. "MailLogSyslogPush" Type: "IronPort Text Mail Logs" Retrieval: Syslog
Push
-
Host <ip log collector>

Imperva
https://www.imperva.com/docs/SB_Imperva_SecureSphere_CEF_guide.pdf

To configure Imperva SecureSphere to send log data Log Collector

To configure Imperva SecureSphere to send syslog messages, based on the CEF standard, whenever a new
event occurs:

1. Define a new Action Set and configure the following parameters:

• Name: The action set name, for example, "security_syslog".
• Syslog Host: The IP address or host name of the Syslog server.
 CO NF ID E NT I AL

• Syslog Log Level: The Syslog log level.

• Message: The CEF message for a security event (alert).
• Facility: The facility name that you want.
Note: For the Syslog Host entry, the IP address or host name you specify is the IP address or host
name of the Log Collector.

2. Edit the security policies and modify the Followed Actions for those that you want to send to Syslog
when a violation occurs. Use the action set defined for security events in step 1.
 CO NF ID E NT I AL

When a security violation occurs, Imperva SecureSphere will generate an alert and send a Syslog message
to Log Collector.

Bluecoat
https://knowledge.broadcom.com/external/article/166081/enable-syslog-on-the-proxysgasg.html

Issue/Introduction:

You would like to know the steps needed to enable Syslog on the ProxySG/ASG.

Resolution:

Syslog is an event-monitoring scheme that is especially popular in Unix environments. Sites that use
Syslog typically have a log host node, which acts as a sink for several devices on the network. You must
have a Syslog daemon operating in your network to use Syslog monitoring. The Syslog format is: Date
Time Hostname Event.

To enable Syslog Monitoring from the Management Console (https://<ip.address.of.proxysg:8082>):

1. Select the Maintenance tab > Event Logging > Syslog tab
2. Click on the New button. Enter the domain name or IP address of your <log collector> in the
Loghost field and click on the OK button.
3. Check the Enable Syslog check box and click Apply
 CO NF ID E NT I AL

To enable Syslog Monitoring from the CLI, use the following commands:

SGOS>
SGOS>enable
Enablepassword:
SGOS#config t
SGOS#(config)event-log
SGOS#(config event-log)syslog loghost loghost
SGOS#(config event-log)syslog enable

Symantec
https://knowledge.broadcom.com/external/article?legacyId=TECH171741

Integrating Symantec EPM

Before you configure the Symantec EPM integration, you must have the IP Address of the Log
Collector

To configure Symantec EPM to send log data to the <ip log collector>
1. In the console, click Admin.
2. Click Servers.
3. Click the local site or remote site that you want to export log data from.
4. Click Configure External Logging.
5. On the General2 tab, in the Update Frequency list box, select how often to send the log data to the
file.

6. In the Master Logging Server list box, select the management server to send the logs to.

Note: If you use SQL Server and connect multiple management servers to the database,
specify only one server as the Master Logging Server.
7. Check Enable Transmission of Logs to a Syslog Server.

8. Provide the following information:

a. Syslog Server: Enter the IP address or domain name of the <ip log collector> that you want to
receive the log data.
b. Destination Port: Select UDP as the protocol to use, and type 514 as the destination port that
the <ip log collector> uses to listen for syslog messages.

c. Log Facility: Enter the number of the log facility that you want to the syslog
configuration file to use, or use the default.

Valid values range from 0 to 23.

9. Click OK.
CO NF ID E NT I AL

Page | 1