On This Page
Configuring SecureTrack for Non-Default Syslogs
Overview
For some types of monitored devices, you must configure the device to send syslogs (Configuring Devices to Send Logs) to SecureTrack in order to get accountability and usage data. SecureTrack is preconfigured to receive syslogs for facility local7
, and for the default severity levels of syslogs sent by each firewall vendor (listed below). To use a non-default facility or severity level, you must manually configure SecureTrack for each device type that sends non-default syslogs. For these device types, your manual settings override the default settings in SecureTrack.
If a firewall is monitored as a standalone device and as the child of a management device, you must disable either the standalone or the management in order to collect syslogs.
Configure the Syslog
Configure SecureTrack to receive syslogs with non-default facilities and/or severity levels, for a specific device type.
We recommend that you backup the stconf table prior to making any changes.
-
Find the parser ID string for the device type sending the syslogs. Parser ID strings are:
Device type
Usage syslogs
Accountability syslogs
Cisco FMCs
CiscoFmc
CiscoFmc
Cisco Firewalls CiscoDevice CiscoDevice Cisco Routers CiscoRouter CiscoRouter Fortinet FortiManager 5.24 or lower Fortinet FortiManager Fortinet FortiManager 5.4 or higher Fortinet FortiManagerAsAPlatform Fortinet FortiGate Fortinet Fortinet Juniper JunOS JunOs JunOs Juniper Netscreen Netscreen Netscreen Juniper NSM NSM NSM Palo Alto Panorama 7.0 or lower PaloAlto PaloAlto Palo Alto Panorama 7.1 or higher PaloAlto PanoramaNg Palo Alto Firewalls PaloAlto PaloAlto VMware NSX Nsx Nsx -
Find the code numbers for the facilities that you want in the syslogs. Facility codes are:
kernel messages 0 user-level messages 1 mail system 2 system daemons 3 security/authorization messages 4 messages generated internally by syslogd 5 line printer subsystem 6 network news subsystem 7 UUCP subsystem 8 clock daemon 9 security/authorization messages 10 FTP daemon 11 NTP subsystem 12 log audit 13 log alert 14 clock daemon 15 local use 0 (local0) 16 local use 1 (local1) 17 local use 2 (local2) 18 local use 3 (local3) 19 local use 4 (local4) 20 local use 5 (local5) 21 local use 6 (local6) 22 (Default:) local use 7 (local7) 23 -
Find the severity levels sent by your devices. The default severity levels are:
Cisco 5 Fortinet 3,4,5,6,7 JunOS 5,6 Netscreen 4,5,6 NSM 1 Palo Alto 6 VMware NSX 13, 14 -
Calculate your relevant priority codes - one priority code for each possible combination of facility code with severity level.
The priority code is defined as the facility code multiplied by 8, plus the severity level code:
Priority code = 8 * Facility code + Severity level code
For example, if your JunOS devices use the default severity levels, but may produce syslogs with facility codes 1, 22, or 23, then you may need to calculate six priority codes (for severity code 5 with each of these three facility codes, and for severity code 6 with each of the three facility codes). However, if you know that facility code 1 will only occur with severity code 6, and the other two facility codes (22,23) only with severity code 5, then you only need to calculate three priority codes. These will be 14,181, and 189:
8*1+6=14
8*22+5=181
8*23+5=189
Make a note of the calculated priority codes.
- Open your browser and log into SecureTrack as a SecureTrack Administrator.
-
In the browser, openL
https://<SecureTrack_IP>/stcgitest.htm
-
Click Edit StConf
-
Click Fetch Current Conf
-
Under
<conf>
, add the following lines, substituting the relevant parser ID string (from step 1) forparserid
(keep the quote marks):<Override_Syslog_Priority message_parser_type="parserid">
</Override_Syslog_Priority>Supported values for
parserid
are:NSM
-
CiscoDevice
(includes ASA firewalls) CiscoRouter
,JunOs
Fortinet
PaloAlto
PanoramaNg
FortiManager
Nsx
FortiManagerAsAPlatform
-
Between the above two lines, for each required priority code (from step 4), add a line in the following form, substituting the relevant priority code for
pc
:<pri>pc</pri>
Using the example from above (step 4), you would now have:
<Override_Syslog_Priority message_parser_type="JunOs">
<pri>14</pri>
<pri>181</pri>
<pri>189</pri>
</Override_Syslog_Priority> -
At the bottom of the page, click Submit New Conf
-
Restart all syslogs:
kubectl get pods -n default --no-headers=true | awk '/syslog-agent/{print $1}'| xargs kubectl delete -n default pod
The deleted pods will restart automatically.
st restart syslog