topic Re: syslog configuration in General Topics

syslog configuration

sib2017 — Wed, 23 Mar 2016 14:25:27 GMT

Hi,

I have attached my syslog configuration .

but in my syslog i missed most of the logs .

then assigned to the policy

To forward all the logs , attached configuration

what if i choose another facilty ?

if i put one interface in tap mode can i forward the log to syslog server

Thanks

Re: syslog configuration

pankaku — Wed, 23 Mar 2016 14:29:25 GMT

Yes you can. Make sure the security policy that you will create for the tap mode apply the syslog profile in the security policy.

Re: syslog configuration

reaper — Wed, 23 Mar 2016 14:43:58 GMT

Hi Sib

are you seeing some logs or none on the syslog server ?

the facility is merely a 'view' option in syslog, you should be able to toggle your syslog server to that view to make sure the logs are being received

to verify logs are being forwarded properly, please take a look at

> debug log-receiver statistics

at the bottom you will see

External Forwarding stats:
      Type  Enqueue Count     Send Count     Drop Count    Queue Depth     Send Rate(last 1min)
    syslog              0              0              0              0                        0

which can help determine if syslog is being sent out properly or not

hRe: syslog configuration

sib2017 — Wed, 23 Mar 2016 16:38:35 GMT

Hi,

What is the differnces between facility 7 and facilty 6 .

choosing facilty 7 will increase the visibilty of the logs , (mean wil it include all logs )

Thanks

Re: syslog configuration

abjain — Thu, 24 Mar 2016 00:50:28 GMT

As I understand syslog facility is used on the syslog server to decide which log goes into which file. Facility will not help to increase or decrease the level of logging on the firewall.

As per RFC: https://tools.ietf.org/html/rfc3164 following are the facility codes defined:

Facility code	Keyword	Description
0	kern	kernel messages
1	user	user-level messages
2	mail	mail system
3	daemon	system daemons
4	auth	security/authorization messages
5	syslog	messages generated internally by syslogd
6	lpr	line printer subsystem
7	news	network news subsystem
8	uucp	UUCP subsystem
9		clock daemon
10	authpriv	security/authorization messages
11	ftp	FTP daemon
12	-	NTP subsystem
13	-	log audit
14	-	log alert
15	cron	scheduling daemon
16	local0	local use 0 (local0)
17	local1	local use 1 (local1)
18	local2	local use 2 (local2)
19	local3	local use 3 (local3)
20	local4	local use 4 (local4)
21	local5	local use 5 (local5)
22	local6	local use 6 (local6)
23	local7	local use 7 (local7)

Whereas the severity under the Log forwarding profile helps to decide what kind of logs you want to send to the syslog server.

You can choose to send different severity logs to the same syslog server with different facility values, so that they can be handled separately by the server. I hope this helps.

-BR