On This Page
Configuring SecureTrack for Non-Default Syslogs
Overview
For some types of monitored devices, to get accountability and usage data, you must configure the device to send syslogs (Configuring Devices to Send Logs) to SecureTrack.
SecureTrack is preconfigured to receive syslogs for facility local7, and for the default severity levels of syslogs sent by each firewall vendor (listed below). See Sending additional information through syslogs.
To use a non-default facility or severity level, as described here, you must manually configure SecureTrack for each device type that sends non-default syslogs. For these device types, your manual settings override the default settings in SecureTrack.
If a firewall is monitored as a standalone device and as the child of a management device, you must disable either the standalone or the management to collect syslogs.
Prerequisites
Parser IDs by Device Types
The table below lists the parser ID strings for usage and accountability syslogs.
The parser ID is required to override the default syslogs. Make a note of the parser ID string for the device type sending the syslogs.
|
Device type |
Usage syslogs |
Accountability syslogs |
|---|---|---|
|
Check Point |
Checkpoint |
Checkpoint |
|
Cisco FMCs |
CiscoFmc |
CiscoFmc |
| Cisco Firewalls | CiscoDevice | CiscoDevice |
| Cisco Routers | CiscoRouter | CiscoRouter |
| Fortinet FortiManager 5.24 or lower | Fortinet | FortiManager |
| Fortinet FortiManager 5.4 or higher | Fortinet | FortiManagerAsAPlatform |
| Fortinet FortiGate | Fortinet | Fortinet |
| Juniper JunOS | JunOs | JunOs |
| Juniper Netscreen | Netscreen | Netscreen |
| Palo Alto Panorama 7.0 or lower | PaloAlto | PaloAlto |
| Palo Alto Panorama 7.1 or higher | PaloAlto | PanoramaNg |
| Palo Alto Firewalls | PaloAlto | PaloAlto |
| VMware NSX | Nsx | Nsx |
Facility Codes for Syslogs
The table below lists the facility codes for syslogs.
The facility code is required to calculate the relevant priority codes.
| kernel messages | 0 |
| user-level messages | 1 |
| mail system | 2 |
| system daemons | 3 |
| security/authorization messages | 4 |
| messages generated internally by syslogd | 5 |
| line printer subsystem | 6 |
| network news subsystem | 7 |
| UUCP subsystem | 8 |
| clock daemon | 9 |
| security/authorization messages | 10 |
| FTP daemon | 11 |
| NTP subsystem | 12 |
| log audit | 13 |
| log alert | 14 |
| clock daemon | 15 |
| local use 0 (local0) | 16 |
| local use 1 (local1) | 17 |
| local use 2 (local2) | 18 |
| local use 3 (local3) | 19 |
| local use 4 (local4) | 20 |
| local use 5 (local5) | 21 |
| local use 6 (local6) | 22 |
| (Default:) local use 7 (local7) | 23 |
Default Severity Levels for Device Types
The table below lists the default severity levels for syslogs.
The severity level is required to calculate the relevant priority codes.
| Cisco | 5 |
| Fortinet | 3,4,5,6,7 |
| JunOS | 5,6 |
| Netscreen | 4,5,6 |
| Palo Alto | 6 |
| VMware NSX | 13, 14 |
Configure SecureTrack
Use the following procedure to configure SecureTrack to receive syslogs with non-default facilities and/or severity levels for a specific device type.
-
Find the code numbers for the facilities that you want in the syslogs to include, as listed in Facility codes for syslogs.
-
Find the severity levels sent by your devices, as listed in Default severity levels for device types.
-
Calculate your relevant priority codes: one priority code for each possible combination of facility code with severity level.
The priority code is defined as the facility code multiplied by 8, plus the severity level code:
Priority code = 8 * Facility code + Severity level code
For example:
If your JunOS devices use the default severity levels, but may produce syslogs with facility codes 1, 22, or 23, then you may need to calculate six priority codes (for severity code 5 with each of these three facility codes, and for severity code 6 with each of the three facility codes).
However, if you know that facility code 1 will only occur with severity code 6, and the other two facility codes (22,23) only with severity code 5, then you only need to calculate three priority codes.
These will be 14,181, and 189:8*1+6=14
8*22+5=181
8*23+5=189
Make a note of the calculated priority codes.
- Open your browser and log into SecureTrack as a SecureTrack Administrator.
-
In the browser, enter this URL:
-
Click Edit StConf
-
Click Fetch Current Conf
-
Under
<conf>, add the following lines, replacingparseridwith the relevant parser ID string you noted down. Make sure you retain the quotation marks:<Override_Syslog_Priority message_parser_type="parserid">
</Override_Syslog_Priority><Override_Syslog_Priority message_parser_type="parserid">
</Override_Syslog_Priority>Supported values for
parseridinclude:-
CiscoFmc -
CiscoDevice(includes ASA firewalls) -
CiscoRouter -
Fortinet -
JunOs -
Netscreen -
PaloAlto -
PanoramaNg -
FortiManager -
NSM -
Nsx -
FortiManagerAsAPlatform
-
-
Between the above two lines, for each required priority code (from step 3), add a line in the following format, substituting the relevant priority code for
pc:<pri>pc</pri>
Using the example from above (step 3), you would now have:
<Override_Syslog_Priority message_parser_type="JunOs">
<pri>14</pri>
<pri>181</pri>
<pri>189</pri>
</Override_Syslog_Priority> -
At the bottom of the page, click Submit New Conf
-
Restart all syslogs:
kubectl get pods -n default --no-headers=true | awk '/syslog-agent/{print $1}'| xargs kubectl delete -n default podThe deleted pods will restart automatically.
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague