Logging to Syslog?

[BarryStiefel]

Logging to Syslog?



To log specific events to syslog, I use 'User-Defined' logging for this. My user-defined program (defined in the Rulebase Properties, Logging and Alerting tab) is "/usr/ucb/logger -p daemon.notice". The path to the 'logger' utility will vary on OS.

Another alternative is to log everything to syslog. You can do this with the command:

$FWDIR/bin/fw log -f 2>>/var/adm/fw-log.log | /bin/logger -p local5.info > /dev/null 2>&1 &

This command runs in the background and logs everything to syslog. Note that it might be best to put this into a boot script after FireWall?-1 loads so that everything is dumped to syslog.

2002-Nov-27 01:03 dwelchATphoneboyDOTcom

I´m working with a solution for Windows, using WSH (Windows Script Host). It needs WSH version 5.6, that, if needed, you can get at: msdn.microsoft.com/scripting.

The script is:

Set objShell = CreateObject?("WScript.Shell") Set objWshScriptExec = objShell.Exec("fw log -ft -l -n") Set objStdOut = objWshScriptExec.StdOut While Not objStdOut.AtEndOfStream strLine = objStdOut.ReadLine If InStr?(strLine,"drop") Then ObjShell?.Run "c:klogklog -h 10.0.0.1 -L Alert -F User -m """ & strLine & """", 0, false End If Wend

The idea is to run the "fw log" command from within the script, so it can send the StdOut? to a variable (strLine).

Now, you will need Kiwi Logger (KLog), a console-mode utility that send text messages to a syslog daemon. Get it at: http://www.kiwisyslog.com/products.htm

You will use the variable strLine as the message (-m) option in KLog. All you have to do now is save this script as "anything.vbs" in the FW /bin folder and call it like this:

cscript anything.vbs

As you can see from the script, you will be able to filter any kind of text before sending it to the Syslog. In the case above, only dropped packets will be sent. The - ObjShell?.Run "command", 0, false - avoids the zillion klog shell windows that would be opened otherwise. The performance of it doesn´t seem to affect the processor. Hope this helps...

-- GuyR - 06 Jan 2004

FAQForm FAQs.Class: LoggingAndAlertingFAQs FAQs.OS: FAQs.Version:

[gorhon]

hello,

Thanks this batch file. but not work. please write line and line.

thank you.

[herrmadbeef]

any news about this

thanks

[BarryStiefel]

Sorry, this was one of the original FAQ's from PhoneBoy and I copied it over verbatim. I don't have any more information on it.

[herrmadbeef]

hey guys i just found this info i hope it could help

i havent test it yet cause i dont have atm a virtualmachine or anything look like

but if some1 try it before i do let me know

Sending FireWall-1 logs to a remote ‘syslog’ server
Management server on Nokia/SecurePlatform/Solaris – NG FP3/AI


1) On the management station, redirect syslog messages to the external syslog server.

If management station is Nokia:
a) Log in to the Voyager web interface on the management station, using a browser.
b) Click the ‘Config’ button, and then click the ‘System Logging’ link.
c) In the ‘System Logging’ page, enter the IP of the remote syslog server in the “Add new remote IP address to log to” field, and press the ‘Apply’ button.
d) In the ‘System Logging’ page, click the drop-down menu labeled ‘Add Security Level’, and choose ‘Info’ and press the ‘Apply’ Button.

(note – slight variations in the names of buttons and fields in Voyager might happen, depending on the IPSO OS version)


If management station is SecurePlatform/Solaris:
a) Edit /etc/syslog.conf, on the management station, and add the following line at the end of the file:

local5.info @hostname

where ‘hostname’ is the resolvable hostname of the remote syslog server, or the IP of the syslog server.

b1) SecurePlatform - Execute ‘service syslog restart’.
b2) Solaris – Execute ‘/etc/init.d/syslog stop’ and ‘/etc/init.d/syslog start’.





2) On the management station, the FireWall-1 log entries need to be directed to the local syslog daemon, so it will relay it to the external syslog server.

a) Edit $FWDIR/bin/fwstart, and add the command
$FWDIR/bin/fw log –t –f –l | logger -t FireWall-1 -p local5.info &
as the second line in the file.

b) Run ‘cpstop ; cpstart’ on the management station.


Provider-1 Solaris

1) Follow step #1 in the previous section
2) On the Provider-1 Solaris machine, edit $MDSDIR/scripts/fwstart, and add the command
$FWDIR/bin/fw log -t -f -l | logger -t "CMA $MSP_SOMEIP_ADDR" -p local5.info &
as the second line in the file.









Limitations:
1) After a ‘cpstop’, the ‘fw log’ command will not exit, and will continue running. Performing ‘cpstart’ afterwards will result several ‘fw log’ commands running simultaneously.
2) After an upgrade of the FireWall-1 on the management station, the changes in step #2 must be repeated.
3) After an upgrade of the OS on the management station, the changes in step #1 must be repeated.
4) Note - the ‘syslog’ protocol is not secured and is not encrypted. The ‘syslog’ packets can be captured and analyzed. It is recommended to pass the ‘syslog’ traffic to the ‘syslog’ server over a secure medium (dedicated interface/VLAN, IPSec tunnel, etc).

[herrmadbeef]

Solution: How to make FireWall-1 log to a syslog server (55.0.6739477.2672094)
To log specific events to syslog, use a 'User-Defined' logging. This is defined in the Rule Base Properties, Log and Alert tab. An example is"/usr/ucb/logger -p daemon.notice"

Another alternative is to log everything to syslog. To have all logs go straight to the syslog server run
$FWDIR/bin/fw log -f 2>>/var/adm/fw-log.log | /bin/logger -p local5.info > /dev/null 2>&1 &

This command runs in the background and logs everything to syslog. Note that it might be best to put this into a boot script after FireWall-1 loads so that everything is dumped to syslog.


Problem Description
How to make FireWall-1 log to a syslog server



Problem Environment:
Firewall-1

UNIX

Solaris