/
How to Configure Syslog Streaming

How to Configure Syslog Streaming

The syslog streaming configuration defines the handling of log files. Log messages of centrally managed firewalls can be transmitted to the Firewall Control Center Syslog service, but they can just as well be transmitted to any other system designed for log file collection or to another Barracuda CloudGen Firewall.

Before You Begin

To send log data from the same source (e.g., VPN) to multiple destinations, there must be only a single entry in the Logdata Filters table that contains the definition of that source. The various Logstream Destinations must be assigned to that single source when configuring log data streams:

Entry #

Logdata Filters

Logdata Streams

Logstream Destinations

Entry #

Logdata Filters

Logdata Streams

Logstream Destinations

1

FW

--- S1 -->

D1

2

DHCP

--- S2 -->

D2

3

VPN

--- S3 -->

D1, D2

Step 1. Enable the Syslog Service

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.

  2. Click Lock.

  3. Set Enable Syslog Streaming to yes.

cloudwatch_01.png

  1. Click Send Changes and Activate.

Step 2. (optional) Upload External TLS Certificates

If the syslog stream is TLS encrypted, the box certificate and key are used by default. You can upload custom TLS certificates if you want to use them.

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.

  2. Click Lock.

  3. In the left menu, expand the Configuration Mode section and click Switch to Advanced View.

  4. From the Use Box Certificate/Key list, select no.

  5. Import the TLS Private Key and TLS Certificate.

  6. Click Send Changes and Activate.

Step 3. Configure Logdata Filters

Define profiles specifying the log file types to be transferred/streamed.

  1. Go to CONFIGURATION > Full Configuration > Box >  Infrastructure Services > Syslog Streaming.

  2. In the left menu, select Logdata Filters.

  3. Expand the Configuration Mode menu and select Switch to Advanced View.

  4. Click Lock.

  5. Click the + icon to add a new entry. 

  6. Enter a descriptive name in the Filters dialog and click OK.

  7. In the Data Selection table, add the log files to be streamed. You can select:

    • Fatal_log – Log contents of the fatal log (log instance name: fatal)

    • Panic_log – Log contents of the panic log (log instance name: panic

  8. In the Affected Box Logdata section, define what kind of box logs are to be affected by the syslog daemon from the Data Selection list.

  9. When choosing Selection (default):

    1. Click the + icon next to Data Selection to add an entry.

    2. Enter a descriptive name for the group and click OK. The Data Selection window opens.

    3. Add the Log Gr oups for selection or select Other and specify an explicit selection. For more information, see User Defined Log Groups.

    4. Set a Log Message Filter. When choosing Selection

      • Add the explicit log type to the Selected Message Types table.

    5. Click OK.

  10. In the Affected Service Logdata section, define what kind of logs created by services are to be affected by the syslog daemon from the Data Selection list.

  11. When choosing Selection (default), 

    1. Click the + icon next to Data Selection to add an entry.

    2. Enter a descriptive name for the group and click OK. The Data Selection window opens.

    3. In the Log Gr oups table, add the server and services where log messages are streamed from, or select Other and specify a more granulated selection. For more information, see User Defined Log Groups.

    4. Set a Log Message Filter. When choosing Selection

      • Add the explicit log type to the Selected Message Types table.

    5. Click OK.

  12. Click Send Changes and Activate.

User Defined Log Groups

For selective syslog streaming, a configured log stream destination is required. This can either be a Barracuda Firewall Control Center or a dedicated third-party syslog server. For granulated selection, configure log data filters, using the Data Selection > Log Groups parameter Other  and enter a string up to sample:

  • <modulname>_<logfile>

Example (for Affected Service Logdata):

  • virscan_cas

  • firewall_auth

  • firewall_Rule*

This selection would stream:

  • srv_<virscan-servername>_<virscan-servicename>_cas.log

  • srv_<firewall-servername>_<firewall-servicename>_auth.log

  • srv_<firewall-servername>_<firewall-servicename>_Rule*.log

This selection would not stream:

  • srv_<virscan-servername>_<virscan-servicename>.log

  • srv_<virscan-servername>_<virscan-servicename>_clamav.log

  • srv_<firewall-servername>_<firewall-servicename>.log

List of Available Box Module Names

Group

Sub-Group

File System Log

Group

Sub-Group

File System Log

Auth

Auth-All

/var/phion/logs/*Auth*.log

 

Auth-Access-Only

/var/phion/logs/*Auth_access*.log

 

Auth-SMS-Only

/var/phion/logs/*Auth_SMS*.log

Broadcaster

 

/var/phion/logs/*broadcaster*.log

Cloud

Cloud-All

/var/phion/logs/*Cloud*.log

 

Cloud-Control

/var/phion/logs/*Cloud_control*.log

 

Cloud-AWS-AutoScale

/var/phion/logs/*Cloud_awsautoscale*.log

 

Cloud-AWS-Log-Daemon

/var/phion/logs/*Cloud_awsconfigsyncd*.log

Config

Config-All

/var/phion/logs/*Config*.log

Control

Control-All

/var/phion/logs/*Control*.log

Event

Event-All

/var/phion/logs/*Event*.log

 

Event-Data-Only

/var/phion/logs/*Event_eventS*.log

Firewall

Firewall-All

/var/phion/logs/*Firewall*.log

 

Firewall-Activity-Only

/var/phion/logs/*Firewall_Activity*.log

 

Firewall-Threat-Only

/var/phion/logs/*Firewall_threat*.log

 

Firewall-IPS-Download-Only

/var/phion/logs/*Firewall_IPSDownload*.log

Logs

Logs-All

/var/phion/logs/*Logs*.log

Network

Network-All

/var/phion/logs/*Network *.log

Release

Release-All

/var/phion/logs/*Release*.log

Settings

Settings-All

/var/phion/logs/*Settings *.log

 

Settings-DNS-Only

/var/phion/logs/*Settings_DNS*.log

 

Settings-Time-Only

/var/phion/logs/*Settings_time*.log

SNMP

SNMP-All

/var/phion/logs/*Snmp_Snmp*.log

SSH

SSH-All

/var/phion/logs/*Snmp_Snmp*.log

 

SSH-SSHd-Only

/var/phion/logs/*SSH_sshd*.log

Statistics

Statistics-All

/var/phion/logs/*Statistics*.log

Watchdog

Watchdog-All

/var/phion/logs/*Watchdog*.log

 

Watchdog-SMART-Only

/var/phion/logs/*Watchdog_smartd*.log

 

Watchdog-Repair-Only

/var/phion/logs/*Watchdog_repair*.log

 

Watchdog-Monitor-Only

/var/phion/logs/*Watchdog_monitor*.log

List of Available CC-managed Box Modules

  • AV-Scanner: virscan

  • DHCP-Enterprise-Server: dhcpe

  • DHCP-Relay: dhcprelay

  • DNS: dns

  • Firewall: firewall

  • FW-Audit-Service: fwaudit

  • C-Firewall: cfirewall

  • FTP-Gateway: ftpgw

  • HTTP-Proxy: proxy

  • HTTP/HTTPS-Proxy: sslprx

  • Mail-Gateway: mailgw

  • OSPFv2-Router: ospf

  • Policy-Service: policyserver

  • Secure-Web-Proxy: sslprx

  • SPAM-Filter: spamfilter

  • SNMP-Service: snmp

  • SSH-Proxy: sshprx

  • ISS-ProventiaWebFilter: cofs

  • VPN-Server: vpnserver

List of Available Single Box Module Names

  • AV-Scanner: virscan

  • DHCP-Enterprise-Server: dhcpe

  • DHCP-Relay: dhcprelay

  • DNS: dns

  • Firewall: firewall

  • FTP-Gateway: ftpgw

  • HTTP-Proxy: proxy

  • HTTP/HTTPS-Proxy: sslprx

  • ISS-ProventiaWebFilter: cofs

  • Mail-Gateway: mailgw

  • OSPFv2-Router: ospf

  • Policy-Service: policyserver

  • Secure-Web-Proxy: sslprx

  • SNMP-Service: snmp

  • SPAM-Filter: spamfilter

  • SSH-Proxy: sshprx

  • VPN-Server: vpnserver

List of Available Control Center-Module Names (CC Box)

  • DNS: dns

  • Firewall: firewall

  • MC-Audit: fwaudit

  • MC-Conf: rangeconf

  • MC-Event: mevent

  • MC-Log: msyslog

  • MC-PKI: pki

  • MC-Entegra: mpolicyserver

  • MC-Reporter: rsdstats

  • MC-StatView: qstatm

  • MC-StatCollect: dstatm

  • MC-VPN: mastervpn

List of Available Reporter Module Names (Reporter Box)

  • Reporter DB: reporter

Configure Logstream Destinations

Define profiles specifying the transfer/streaming destination of log messages. Log lines from remote systems will be added as they are received but also get their creation time in ISODATE format enclosed in parentheses appended at the end, e.g.: (2013-07-01T18:37:17+00:00). Selecting CloudGen Firewall as the destination will stream the log data to another unit in exactly the same file structure as on the sender system.

  1. Go to CONFIGURATION > Full Configuration > Box >  Infrastructure Services > Syslog Streaming.

  2. In the left menu, select Logstream Destinations.

  3. Expand the Configuration Mode menu and select Switch to Advanced View.

  4. Click Lock.

  5. Click the + icon to add a new entry.

  6. Enter a descriptive name in the upcoming dialog and click OK. The Destinations window opens.

  7. Select the Logtream Destination. When an external log host is used: 

    1. Select Explicit IP (default).

    2. Configure the destination host:

      1. If you have only an IP address – Enter the destination IP address in the Destination IP Address field.

      2. If you have configured an IP or hostname network object on the Multi-Range, Range, or Cluster level, you can also click the small icon inside of the edit field to specify the log stream destination by selecting a hostname.

IP_or_hostname_edit_field.png

  1. Enter the Destination Port for delivering syslog messages. The Barracuda Networks CC syslog service listens on port TCP 5143 for TLS connections and on TCP and UDP port 5144 for unencrypted streaming. The default is to use encryption for delivery; therefore, port 5143 is preconfigured.

When changing the port, you must also adapt the host firewall rule for syslog traffic to use the new port.

  1. Select the Transmission Mode (TCP or UDP - default; for TLS connections TCP is automatically set).

You may specify a particular Sender IP address used for sending the log data. When sending to a Barracuda Firewall Control Center, either the VIP or, in the absence of a management tunnel, the MIP is selected automatically.

  1. Click OK.

  2. Click Send Changes and Activate.

You may specify a particular address to be used in order to send the log data.

TLS Encapsulation

The option Use TLS Encapsulation may be turned off when the log stream is transmitted to the Barracuda Firewall Control Center and the box has a management tunnel to the Control Center. For CC transmission without a box tunnel, activating TLS encapsulation is recommended. Note also that transmission to a non-Barracuda CloudGen Firewall system should be TLS encapsulated for reasons of privacy.

TLS Peer Authentication defines the way in which a destination system is authenticated when using TLS-based authentication (authentication of the destination server by the box being a client). The list offers the following choices:

  • verify_peer_with_locally_installed_certificate – (default) The destination system is verified against a locally stored certificate either in the respective destination section or the Barracuda Firewall Control Center's certificate. This setting is useful when log messages are delivered to a system outside the scope of Barracuda Firewall Control Centers. For centrally administered firewalls, this is the only applicable option.

If the destination system is not a Barracuda Firewall Control Center, the peer TLS certificate may be required

  • verify_peer_certificate – The destination system is verified against a locally stored CA certificate. Copy the root certificate into the field Certificate Chain in the section Data Transfer Setup at CONFIGURATION > Configuration Tree > Infrastructure Services > Syslog Streaming > Logstream Destinations.

Contact Us
Barracuda Campus
Barracuda Support