Configure ProxySG to upload access logs directly to a datasource in Cloudsoc Audit

Products

CASB Audit

Issue/Introduction

ProxySG can be configured to upload the access logs to Audit for the ShadowIT analysis. There are a few ways to do that. This article cover the use case where the Proxy uploads the access logs directly to Cloudsoc over a direct SCP connection without the use of an on-prem instance of SpanVA.

Environment

Perquisites:

1- ProxySG can resolve "upload.elastica.net" and the network connection over port 22 TCP is permitted.

2- Cloudsoc Audit has been configured with an SCP Data Source (Here the KB article on Creating an SFTP or SCP data source)

Data Required:

To get the information required, navigate to (Cloudsoc Console > Audit > Device Logs > Locate the SCP Data Source required > under the "Actions" column click on the drop down icon > View Details > select "Configuration Details" tab), the popped up screen should look like this:

Note down the highlighted items:

Secure File Server
User Name
Password (Reset if not saved during the creation)
Datasource Path

Resolution

1- Add the server SSH Key to the proxy trusted outbound destinations:

Login to the ProxySG console
Navigate to Configuration > Authentication > SSH Outbound Connections > Known Hosts > click "New"
Fill in the fields as shown in the screen shot
click "Fetch" to get the SSH key from the upload server

Accept the presented key from "upload.elastica.net" by clicking "Add"

2- Use the parameters collected from the Cloudsoc SCP Data Source (Prerequisites section) and enter them as an Access Log upload client:

TIP: In the Upload Path, Add a / to the end of the path. Ensure there is no space at the end.

3- Ensure the Proxy and/or Firewall whitelists the following

Port 443

CloudSOC GCP IP CIDR block: 144.49.240.0/21

Google Storage Service: *.storage.googleapis.com

Note: There is a limitation on some of the ProxySG versions where the UI text field of the "Upload Path" parameter has a 64 character limit. if that's the case then the Path has to be entered via the command line.

Here are the proxy commands to be used after connecting via SSH to the proxy

#(config)
#(config)access-log
#(config access-log)edit log <LogName>
#(config log main)scp-client primary ?
encrypted-password Encrypted password for SCP primary host
host Primary SCP host name
password Password for SCP primary host
path Path for SCP primary host
username Username for SCP primary host
#(config log main)edit log <log name> host upload.elastica.net
#(config log main)edit log <log name> username <username>
#(config log main)edit log <log name> path <path>
#(config log main)edit log <log name> password <password>

Repeat for each access log required.

Additional Information

To verify,

1: Run "Test Upload" from the Proxy Console

Log in to the Proxy console > Configuration > Access Logging > Logs > click on "Upload Client" tab > Select the Log (example main) > Select the upload client (SCP Client) > Click "Test Upload" > Confirm the notifiacation message on the popped up windows.

The proxy may show a warning or failure if a different Access Log upload is in progress, the option is either to wait more or to cancel the current upload job by going to (Configuration > Access Logging > General > Global Settings > click on "Cancel All" ) Then try to "Test Upload" again as per the previous step.

2- Verify that the Test of the upload to Cloudsoc was successful:

Log in to the Proxy Console > Statistics > Access Logging > Upload Status > Select "Log" , example main > check the "last upload result" it should show "Success" if all went well , Also check the data and time presented (Connect Time).

3- After the successful upload, the next step is for the Cloudsoc Audit to acknowledge the reception and then to process the files, this can be monitored on the Cloudsoc Console by navigating to:

Log in to Cloudsoc Console > Audit > Device Log > Locate the Data Source > Under "Actions" Column > Click on "View Details" > The popped up screen it lists all the access files received with their current status.