Configuring SecureTrack for Non-Default Syslogs

Overview

For some types of monitored devices, you must configure the device to send syslogs (Configuring Devices to Send Logs) to SecureTrack in order to get accountability and usage data. SecureTrack is preconfigured to receive syslogs for facility local7, and for the default severity levels of syslogs sent by each firewall vendor (listed below). To use a non-default facility or severity level, you must manually configure SecureTrack for each device type that sends non-default syslogs. For these device types, your manual settings override the default settings in SecureTrack.

If a firewall is monitored as a standalone device and as the child of a management device, you must disable either the standalone or the management in order to collect syslogs.

Configure the Syslog

Configure SecureTrack to receive syslogs with non-default facilities and/or severity levels, for a specific device type.

We recommend that you backup the stconf table prior to making any changes.

  1. Find the parser ID string for the device type sending the syslogs. Parser ID strings are:

    Device type

    Usage syslogs

    Accountability syslogs

    Cisco FMCs

    CiscoFmc

    CiscoFmc

    Cisco Firewalls CiscoDevice CiscoDevice
    Cisco Routers CiscoRouter CiscoRouter
    Fortinet FortiManager 5.24 or lower Fortinet FortiManager
    Fortinet FortiManager 5.4 or higher Fortinet FortiManagerAsAPlatform
    Fortinet FortiGate Fortinet Fortinet
    Juniper JunOS JunOs JunOs
    Juniper Netscreen Netscreen Netscreen
    Juniper NSM NSM NSM
    Palo Alto Panorama 7.0 or lower PaloAlto PaloAlto
    Palo Alto Panorama 7.1 or higher PaloAlto PanoramaNg
    Palo Alto Firewalls PaloAlto PaloAlto
    VMware NSX Nsx Nsx
  2. Find the code numbers for the facilities that you want in the syslogs. Facility codes are:

    kernel messages 0
    user-level messages 1
    mail system 2
    system daemons 3
    security/authorization messages 4
    messages generated internally by syslogd 5
    line printer subsystem 6
    network news subsystem 7
    UUCP subsystem 8
    clock daemon 9
    security/authorization messages 10
    FTP daemon 11
    NTP subsystem 12
    log audit 13
    log alert 14
    clock daemon 15
    local use 0 (local0) 16
    local use 1 (local1) 17
    local use 2 (local2) 18
    local use 3 (local3) 19
    local use 4 (local4) 20
    local use 5 (local5) 21
    local use 6 (local6) 22
    (Default:) local use 7 (local7) 23
  3. Find the severity levels sent by your devices. The default severity levels are:

    Cisco 5
    Fortinet 3,4,5,6,7
    JunOS 5,6
    Netscreen 4,5,6
    NSM 1
    Palo Alto 6
    VMware NSX 13, 14
  4. Calculate your relevant priority codes - one priority code for each possible combination of facility code with severity level.

    The priority code is defined as the facility code multiplied by 8, plus the severity level code:

    Priority code = 8 * Facility code + Severity level code

    For example, if your JunOS devices use the default severity levels, but may produce syslogs with facility codes 1, 22, or 23, then you may need to calculate six priority codes (for severity code 5 with each of these three facility codes, and for severity code 6 with each of the three facility codes). However, if you know that facility code 1 will only occur with severity code 6, and the other two facility codes (22,23) only with severity code 5, then you only need to calculate three priority codes. These will be 14,181, and 189:

    8*1+6=14

    8*22+5=181

    8*23+5=189

    Make a note of the calculated priority codes.

  5. Open your browser and log into SecureTrack as a SecureTrack Administrator.
  6. In the browser, openL

    https://<SecureTrack_IP>/stcgitest.htm

  7. Click Edit StConf

  8. Click Fetch Current Conf

  9. Under <conf>, add the following lines, substituting the relevant parser ID string (from step 1) for parserid (keep the quote marks):

    <Override_Syslog_Priority message_parser_type="parserid">
    </Override_Syslog_Priority>

    Supported values for parserid are:

    • NSM
    • CiscoDevice (includes ASA firewalls)
    • CiscoRouter, JunOs
    • Fortinet
    • PaloAlto
    • PanoramaNg
    • FortiManager
    • Nsx
    • FortiManagerAsAPlatform
  10. Between the above two lines, for each required priority code (from step 4), add a line in the following form, substituting the relevant priority code for pc:

    <pri>pc</pri>

    Using the example from above (step 4), you would now have:

    <Override_Syslog_Priority message_parser_type="JunOs">
    <pri>14</pri>
    <pri>181</pri>
    <pri>189</pri>
    </Override_Syslog_Priority>

  11. At the bottom of the page, click Submit New Conf

  12. Restart all syslogs:
    kubectl get pods -n default --no-headers=true | awk '/syslog-agent/{print $1}'| xargs  kubectl delete -n default pod

    The deleted pods will restart automatically.

    st restart syslog