How to add or configure a Network device or Syslog device like Firewall, Switches or Router in EventLog Analyzer
Objective
EventLog Analyzer offers auditing capabilities for various network devices like Firewall, Routers, Switches, etc for few widely used makes/manufactures as predefined support. Offered predefined support includes Reports, Parsing, Detection rules & Alerts as per market requirement. Refer List of supported log sources to know the list of predefined supported log sources. This article offers step by step instructions to add a network device in EventLog Analyzer/Log360.
Prerequisites
Before adding a network device, ensure to adopt for the following prerequisite:
- Access to Device as administrator or elevated permission to perform syslog configuration.
- Review the listener ports of EventLog Analyzer instance in Listener Port Settings and ensure to configure the network device to forward the logs to the same port & protocol. (Default UDP - 514/513, TCP - 514, TLS - 513)
- Proper firewall rules in EventLog Analyzer server(inbound), Security Application(if available) and Network Firewall(if available) and Network device (outbound) to allow the communication from Network Device to EventLog Analyzer server.
- The DNS server must be able to resolve Network device's Hostname - IP Address from EventLog Analyzer server (Mandatory for DHCP-based IP changes).
- For TLS log collection, Ensure to enable HTTPs for EventLog Analyzer by applying SSL. Refer How to enable HTTPs for EventLog Analyzer
Steps to follow
Step 1: Configure Syslog service in Network Device. Check out sample syslog configuration in Help document or get in touch with respective network device vendor for syslog configuration.
Step 2: Ensure to allow communication from Network Device to EventLog Analyzer server over the ports that are listened by EventLog Analyzer for syslog configuration. You can check or reconfigure the listened ports in Listener Port Settings
Step 3: Check if the logs have reached the EventLog Analyzer server using Log Receiver - built-in tool or any other packet capturing tool.
Step 4: Once the packet reaches EventLog Analyzer server and if the Local Firewall or Security Applications allow the traffic over the listener ports, the log packets will be collected by the application.
Step 5: The device will be added automatically in the application with the device name by resolving the DNS. You can locate the device name in Settings >> Log Source Configuration >> Devices >> Syslog device. Refer Tips to know How a device is added once the log packet reaches the application.
Step 6: If the device name exists already as Syslog Device, collected logs will be auto mapped to the same entry.
For troubleshooting any concern or issue, refer No data or logs collected from syslog device
Validation and testing
To confirm that the device is added and logs are collected:
- Go to Search tab.
- Select the device from the list and search for incoming logs.
Tips
1. How does a device name is determined during initial auto addition once syslog packet reaches EventLog Analyzer ?
The value/name that you are able to see in the User interface is "Display name" which will be same as device name value initially. Display name can be changed based on requirement using Update device option.
Device name value will be auto identified based on the source information available in the syslog packet and DNS resolution. There are two scenarios with two cases.
Scenario 1: Source information has Hostname of Syslog device. EventLog Analyzer attempts to resolve with DNS to get the IP address.
Case 1: EventLog Analyzer server is able to resolve the Hostname with IP address using DNS.
Device will be added with "Device name" value as "Hostname" and "IP address" value with its "IP address"
Case 2: EventLog Analyzer server is unable to resolve the Hostname with IP address using DNS. (Due to unavailablity of DNS server or internal DNS resolution issue)
Device will be added with "Device name" value as "Hostname" and "IP address" value with its "Device name"
Device will be added with "Device name" value as "Hostname" and "IP address" value with its "Device name"
Scenario 2: Source Information has IP address of Syslog device. EventLog Analyzer attempts to resolve with DNS to get the Hostname.
Case 1: EventLog Analyzer server is able to resolve the IP address with Hostname using DNS.
Device will be added with "Device name" value as "Hostname" and "IP address" value with its "IP address"
Case 2: EventLog Analyzer server is unable to resolve the IP Address with Hostname using DNS.
Device will be added with "Device name" value as "IP Address" and "IP address" value with the "IP address"
2. If multiple devices forward logs via a relay server, EventLog Analyzer uses the hostname from syslog packets to differentiate devices.
How it works:
Prerequisite: Forwarded syslogs should adhere to standard RFC 3164 and the corresponding Relay server configuration must be enabled in EventLog Analyzer.
Sample Log - <34>Oct 18 22:00:15 rootmachine su: 'su root' failed for test on /dev/pts/
NOTE: The hostname ( rootmachine ) is parsed from the syslog packet and the syslog device is added with the hostname.
- If the hostname is already present in the database, then the logs will be mapped to that device.
- The syslog device(s) can be Unix, Topsec , Cisco, Palto Alto, Fortinet, Firepower, Sonicwall etc.
2. When the IP addresses of syslog devices change frequently due to DHCP, a new device is added with a new IP address whenever the IP changes and if the name cannot be resolved.
How it works:
Prerequisite: Forwarded syslogs from all the syslog devices to Eventlog Analyzer should adhere to standard RFC 3164 and the corresponding DHCP configuration must be enabled in EventLog Analyzer.
Sample Log - <34>Oct 18 22:00:15 rootmachine su: 'su root' failed for test on /dev/pts/8
NOTE: The hostname( rootmachine ) is parsed from the syslog packet and the syslog device is added with the hostname.
- If the hostname is already present in the database, then the logs will be mapped to the respective device.
Related topics and articles
New to ADSelfService Plus?
Related Articles
How to Onboard Non-Predefined or Custom Log source in EventLog Analyzer
Objective EventLog Analyzer offers predefined support for various log sources. Predefined support includes built-in parsing, reports (as per market requirement), Detection Rules & Alerts. EventLog Analyzer offers extensive capability to onboard and ...How to add Topsec device in EventLog Analyzer
Objective EventLog Analyzer collects logs from Topsec devices using the Syslog protocol. Syslog services has to be configured in Topsec Devices to have the logs forwarded to EventLog Analyzer. This article offers you step by step instructions to add ...How to add Unix/Linux device in EventLog Analyzer
Objective EventLog Analyzer collects logs from Unix/Linux devices using the Syslog protocol. Devices can be configured automatically from EventLog Analyzer user interface or manually from the respective log source. This article explains both methods ...How to add F5 device in EventLog Analyzer
Objective EventLog Analyzer collects logs from F5 devices using the Syslog protocol. Syslog services has to be configured in F5 Devices to have the logs forwarded to EventLog Analyzer. This article offers you step by step instructions to add F5 ...How to add HP-UX/Solaris/AIX device in EventLog Analyzer
Objective EventLog Analyzer collects logs from HP-UX/Solaris/AIX devices using the Syslog protocol. Syslog services has to be configured in HP-UX/Solaris/AIX Devices to have the logs forwarded to EventLog Analyzer. This article offers you step by ...