Thread: Logging to Syslog?
View Single Post
  #5 (permalink)  
Old 2006-09-06
herrmadbeef herrmadbeef is offline
Junior Member
  
Join Date: 2005-09-26
Posts: 19
Rep Power: 0
herrmadbeef has an average reputation (10+)
Default Re: Logging to Syslog?
hey guys i just found this info i hope it could help

i havent test it yet cause i dont have atm a virtualmachine or anything look like

but if some1 try it before i do let me know

Sending FireWall-1 logs to a remote ‘syslog’ server
Management server on Nokia/SecurePlatform/Solaris – NG FP3/AI


1) On the management station, redirect syslog messages to the external syslog server.

If management station is Nokia:
a) Log in to the Voyager web interface on the management station, using a browser.
b) Click the ‘Config’ button, and then click the ‘System Logging’ link.
c) In the ‘System Logging’ page, enter the IP of the remote syslog server in the “Add new remote IP address to log to” field, and press the ‘Apply’ button.
d) In the ‘System Logging’ page, click the drop-down menu labeled ‘Add Security Level’, and choose ‘Info’ and press the ‘Apply’ Button.

(note – slight variations in the names of buttons and fields in Voyager might happen, depending on the IPSO OS version)


If management station is SecurePlatform/Solaris:
a) Edit /etc/syslog.conf, on the management station, and add the following line at the end of the file:

local5.info @hostname

where ‘hostname’ is the resolvable hostname of the remote syslog server, or the IP of the syslog server.

b1) SecurePlatform - Execute ‘service syslog restart’.
b2) Solaris – Execute ‘/etc/init.d/syslog stop’ and ‘/etc/init.d/syslog start’.





2) On the management station, the FireWall-1 log entries need to be directed to the local syslog daemon, so it will relay it to the external syslog server.

a) Edit $FWDIR/bin/fwstart, and add the command
$FWDIR/bin/fw log –t –f –l | logger -t FireWall-1 -p local5.info &
as the second line in the file.

b) Run ‘cpstop ; cpstart’ on the management station.


Provider-1 Solaris

1) Follow step #1 in the previous section
2) On the Provider-1 Solaris machine, edit $MDSDIR/scripts/fwstart, and add the command
$FWDIR/bin/fw log -t -f -l | logger -t "CMA $MSP_SOMEIP_ADDR" -p local5.info &
as the second line in the file.









Limitations:
1) After a ‘cpstop’, the ‘fw log’ command will not exit, and will continue running. Performing ‘cpstart’ afterwards will result several ‘fw log’ commands running simultaneously.
2) After an upgrade of the FireWall-1 on the management station, the changes in step #2 must be repeated.
3) After an upgrade of the OS on the management station, the changes in step #1 must be repeated.
4) Note - the ‘syslog’ protocol is not secured and is not encrypted. The ‘syslog’ packets can be captured and analyzed. It is recommended to pass the ‘syslog’ traffic to the ‘syslog’ server over a secure medium (dedicated interface/VLAN, IPSec tunnel, etc).
Reply With Quote