What is Syslog
Syslog is a way for network devices to send event messages to a logging server – in our case it’s the NetWatcher sensor. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. A wide variety of devices, such as printers, routers, and firewalls across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository.
General items with Syslog to be aware of…
First, consistency--The Syslog protocol doesn’t define a standard way for message content to be formatted – and there as many ways to format a message as there are developers. Some messages may be human readable, some aren’t. Syslog doesn’t care – it just provides a way to transport the message.
There are also some challenges that arise because of the way syslog uses UDP as a transport. UDP is connectionless and not guaranteed – so it could be possible to lose log messages due to network congestion or packet loss.
Finally, there are some security challenges with syslog. There is no authentication on syslog messages, so it could be possible for one machine to impersonate another machine and send bogus log events.
Setting up NetWatcher to collect Syslog data
Step 1 – Get the ‘Local DNS’ name for the sensor
Step 1.1 – Log into the Customer Portal and go to ‘Configure | MySensors’
Step 1.2 - Go into the sensor details page and get the ‘Local DNS’ name for the sensor
Step 2 – Login to your firewall and configure it to send syslog data to the NetWatcher sensor. Here is an example on a SonicWall firewall
How to view your firewall’s syslog data in the Customer Portal
Step 1 – Go to the ‘Advanced’ tab, choose Events, and filter on Type = “Sagan”
Step 2 – View the details of a syslog event
- You must tell us the type of device and IP Address of the device sending syslogs so we can enable the appropriate ruleset on the backend
- TLS on Port 10514 is not supported yet. We currently only support UDP 514
How to Report Issues:
Send email to firstname.lastname@example.org with Title: SIEM Feedback