[BETA] SYSLOG/PIX Configuration (Full Version)

All Forums >> [Networking & Security] >> GFI EventsManager



Message

fwakelin -> [BETA] SYSLOG/PIX Configuration (29.Sep.2006 5:19:49 PM)

I've configured eventsmanager to receive syslog events from our some PIX firewalls.  The status shows events being received from the PIX IP's, and the job activity shows a number of syslog messages being received however none are being entered into the database.  I've confirmed that some of the specific events setup as the defaults within eventsmanager are indeed occuring.

If there a problem with the defined event filters?  What specific logging format is eventsmanager looking for (IE: EMBLEB?/timestamp?)?  How can I go about capturing the syslog data received to compare it to the defined filters?



Calin Ghibu -> RE: SYSLOG/PIX Configuration (1.Oct.2006 7:07:15 AM)

Hi,

You may have missconfigured stuff.

Please do the following:

Create a computer group, have it configured to recieve Syslog only (no windows, W3C logs).

On the Syslog tab, select archive only (thus messages will not pass through event processing rules). Add the IP of the Cisco device to this group and have it inherit the settings from the parent group. Generate some syslog events.

You should have at this point all the incomming syslog messages into the database.

Send me some sample messages which did not initially make it through the processing rules, or verify yourself, whatever suits you best.

In the next build, there will be a group created and configured by default specifically for Cisco devices. Also there will be some minor fixes which might affect.

Best regards,
Calin



peter.berger@genexservice -> RE: SYSLOG/PIX Configuration (16.Oct.2006 1:44:34 PM)

GFI: I too am getting the same syslog errors as described above. They are not Cisco boxes though, but a mix of HP-UX 11.11 and Red Hat Linux boxes.

I have made sure that I:
changed the login credentials (to use the "root" account).
changed the checkbox to "archive-only" so the filters are not applied.


When I look into the main page on the "syslog message history" -- I see that the message count is "X", the archived count is "0" and the Reject Count is "X" (where X is the number of syslog events that came in).

I made sure I have the latest BETA version also. Any help/411 would be great...



Calin Ghibu -> RE: SYSLOG/PIX Configuration (17.Oct.2006 2:30:18 AM)

Hi Peter,

Ok, how did you add the devices /linux machines for monitoring?

In your case, the messages arrive to EventManager, which means that your configuration related to syslog is ok, but were rejected because either you do not have any processing rules applied (unlikely if you selected archive all) or because you did not add the clients sending the messages properly in the proper group.

Note: you do not need to enter the root credentials for the Linux machines. Syslog messages are sent by the client and not retrieved by the EventsManager.

So please follow the below steps:

- create a new computers group, disable scanning for windows events and W3C events from the corresponding tabs. Configure it to real time monitoring. Configure it to archive all Syslog messages.

- add the devices /linux machines to this group BY IP.
- restart the EventsManager service
- generate Syslog messages and see if the issue persists by checking the EventManager Monitor.

Best regards,
Calin



peter.berger@genexservice -> RE: SYSLOG/PIX Configuration (17.Oct.2006 8:28:01 AM)

Calin: Thanks for the tips. It looks like it's the IP vs. DNS name that did the trick.

I followed your directions to create a new group and use just IP addresses -- that worked fine.
So I deleted my custom group and went back to GFI's existing Linux/PIX group and changed the UNIX/Linux DNS names into IP addresses. It still works. yeah.

So whatever the issue is, the quick resolution is to simply use IP vs. DNS for Linux/UNIX/Cisco devices. I've had no problems using DNS names for Wintel servers.

thanks. Love the new product...keep up the good work...



Page: [1]