To configure a Syslog Server, as your external log server, to send logs from Web Isolation to your SIEM solution, it's really important to first ensure there are components of your SIEM solution that can integrate as a syslog server.

What is Syslog Server?

Although it could imply it’s a physical server, the term syslog server is widely used for a software that is able to receive syslog messages, amongst other uses. The ability to collect logs from network devices is especially important in networks with more than just a few routers, switches or servers, as these devices can produce million messages per hour. It would be almost impossible to make sense of all these messages if they are not stored and organized in one place – a syslog server. 

What is SIEM?

SIEM stands for Security and Information Event Management and consists of two practices:

Security Information Management (SIM) involves collecting, correlating, and analyzing log data from various sources (network devices, firewalls, servers, anti-virus software and other applications or databases) in the network.

Security Event Management (SEM) involves analyzing collected event data for threat detection to improve security of the IT environment.

Software solutions combining both SIM and SEM are called SIEM tools. The main purpose of these tools is to improve security of an organization and, at the same time, demonstrate compliance with regulatory frameworks, as missing the mark on their requirements could negatively impact overall business of an organization.

Although there are some common similarities between syslog and SIEM, such as collection of logs from network devices or regulatory compliance, there are several key differences due to a different purpose each of these solutions is built for. Syslog server is designed to centralize all syslog messages from network devices, while SIEM solution is primarily focused on increasing security of your IT environment, by not only keeping track of incidents and events but by being able to respond to them by blocking or allowing actions as appropriate, as well as perform troubleshooting and remediation tactics.

Release : 1

To create a Syslog Server in Fireglass, please begin from "Log Forwarding". Refer to the snippet below, for guidance.

To simulate if this works, you may test with "rsyslog". See the details below.

Installing and configure rsyslo

1. Create a machine with ubuntu (e.g. on AWS AMI - fg-ubuntu-14.04-linux-4.4-aws-ixgbevf)
   
   Note: The machine should be on the same security group with fireglass machines
   
   
2. In the ubuntu run the following commands:
   

   Install rsyslog:

   sudo apt-get update

   sudo apt-get install rsyslog

   configure rsyslog:

   sudo vim /etc/rsyslog.conf

   uncheck the comment (“#”) from the following lines:                   

   $ModLoad imtcp

   $InputTCPServerRun 514

3. Restart the rsyslog service:
   
   sudo service rsyslog restart
   
4. Verify rsyslog is listening in port 514:
   
   sudo netstat -tupln
   
   

   You should see the marked lines:

          Active Internet connections (only servers)

   Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

   tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      1435/0

   tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      2188/rsyslogd

   tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1087/sshd

   tcp6       0      0 ::1:6010                :::*                    LISTEN      1435/0

   tcp6       0      0 :::514                  :::*                    LISTEN      2188/rsyslogd

   tcp6       0      0 :::22                   :::*                    LISTEN      1087/sshd

   udp        0      0 0.0.0.0:61357           0.0.0.0:*                           690/dhclient

   udp        0      0 0.0.0.0:68              0.0.0.0:*                           690/dhclient

   udp6       0      0 :::59860                :::*                                690/dhclient

5.  Follow the log:
   
   tail -F /var/log/syslog

On fireglass Management:

1. Log in to management
   
   
2. Go to System Configuration -> External Log Servers
   
   
3. Create New External Log Server -> Select Syslog
   
   

Fill the following details:

1. Go to Reports->Log Forwarding, edit primary Forwarding Configuration.
2. Add Syslog to Activity Logs, Management Audit Logs, Gateway Audit Logs:
   
   
   
   
3. Push Settings.

Test it works:

1. Audit log – In the management -> Create new internal user, you see in the syslog:
   
   {"@timestamp":"2018-05-22T08:22:14.021Z","@version":"1","host":"citiqa-xxxxxx.xxxxx.fire.glass","type":"fw.syslog.managementAuditLogs","user":"xxxxx","user_id":"xxxxx","action":"create","entity_type":"Internal User","revision":115,"entity_name":"xxxxxTest","entity_id":8,"pre_change_entity":"","post_change_entity":"","single_change_entity":"{\"id\":8,\"name\":\"xxxxxTest\",\"password\":\"\",\"updatedAt\":\"2018-05-22T08:22:14.000Z\",\"createdAt\":\"2018-05-22T08:22:14.000Z\"}","change_description":"xxxxxTest was created","push_relevant":true,"deltas":[]}
2. Gateway Audit Log – In the management machine or other fireglass gateways run command “pwd” , you see in the syslog:
   
   May 22 08:27:00 citiqa-proxy Symantec[-]: {"@version":"1","@timestamp":"2018-05-22T08:27:00.353Z","type":"fw.syslog.gatewayAuditLogs","source":"x.x.x.x","command":" pwd","user":"ubuntu","service":"shell","user_id":1000,"current_path":"/home/ubuntu","return_code":"0","host":"citiqa-proxy","action_type":"Terminal Command"}
   
   
3. Browse to "<your_URL_domain>" using the proxy, you should see in the syslog the activity traffic:
   
   May 22 08:29:28 d447783101ca xxxxxx[-]: May 22 08:29:27 citiqa-proxy localhost a_s_worker[60]: [1526977767815]  {"service":"Proxy","symc_transaction_id":"","time_stamp":"2018-05-22T08:29:27.815Z","extra_log_data":null,"event":"Forward To Isolation","request_method":"GET","response_status_code":"","source_ip":"x.x.x.x","source_port":59787,"original_source_ip":"x.x.x.x","url":"https://<your_URL_domain>/?****","url_scheme":"https","url_host":"<your_URL_domain>","url_port":443,"user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36","destination_ip":"x.x.x.x","content_type":"","username":"xxxxxw","action":"Isolate","content_action":null,"url_categories":[],"url_parent_categories":[],"source_ip_country_code":"IL","source_ip_country_name":"xxxxxxxx","url_risk":0,"rule_id":"1","rule_type":"default","action_reason":"Policy rule","severity":"None","details":null,"resource_response_headers":null,"resource_request_headers":{"Host":"<your_URL_domain>","Connection":"keep-alive","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","Accept-Encoding":"gzip,deflate,br","Accept-Language":"en-US,en;q=0.9","Cookie":"abVariantNumber=bGk429uUR7C4ovnMCo1_aQ.0; _ga=GA1.4.434273693.1526192214; _ga=GA1.3.434273693.1526192214; _gid=GA1.3.1859157913.1526192214; textsize=NaN; __gads=ID=d0bded67ef9a5dc7:T=1526192214:xxxxxxxxxxxxxxxxxxxxxxxxxx.....................................................................................................................................................................................................................................................................................................,"referer_url":null,"referer_host":null,"total_bytes":null,"response_cached":null,"total_bytes_sent":null,"advanced_details":null,"initiated_by_gateway":"No","malicious":"No"}

Note: In the "Connection" settings, in the Syslog Server configuration, you can use either the IP Address or FQDN for your on-premise Syslog Server (SIEM). Ensure your network allows fireglass to talk to the on-premise Syslog Server on port 514.