On This Page
Sending Additional Information Using Syslog
Overview
To get full accountability details (who made policy changes and when) and to utilize rule and object usage reporting, you must get your monitored devices to send syslogs to TOS Aurora.
These monitored devices can be set up to send additional information to TOS Aurora, such as:
-
Rule and object usage information that can be seen in SecureTrack, such as the rules that were invoked or 'hit'
-
Accountability information that can be seen in SecureTrack, such as the users who made policy changes and the computer used to make the change
-
Details of the applications that pass traffic through the device - can be seen in SecureApp
-
Notifications to TOS that a security configuration change has occurred, so TOS can fetch the updated policy (revision) from the device immediately, rather than wait for the periodic polling
To get this additional information, you must configure your devices to send syslogs to TOS Aurora either directly or by using a log forwarder.
Syslog traffic must be sent to port 514 on the SecureTrack cluster that monitors the device. If TOS Aurora is deployed on Azure or AWS, send the syslog traffic to the IP or domain name of your external load balancer, otherwise, send it to a Syslog VIP.
Use a Log Forwarder
You can send syslogs directly from the devices themselves or from an incident management tool such as ArcSight, Splunk or QRADAR. These tools are sometimes referred to as log forwarder/log aggregator tools or SEM (Security Event Management)/SIEM (Security Incident and Event management) systems. The syslogs must be sent to the TOS cluster in exactly the same format as they would be sent from the original device, including the IP address of the firewall device if specified.
Vendor-Specific Instructions
For more information on sending syslogs for supported devices, see the following related topics: