13 Replies Latest reply on Jul 21, 2014 7:38 AM by lenxe

    Configure LEM as a SYSLOG Server

    lenxe

      Hi,

       

      I am currently configuring LEM to monitor a small industrial network, (containing 12 devices).

       

      Firstly can someone please confirm that LEM is capable of receiving SYSLOG data.

      If so, is this a generic acceptance or does the device have to be configured as an "Appliance -> Tool".

       

      I am trying to receive SYSLOG entries from 2 firewalls (Hirschmann Eagle 20 Tofino firewalls).

      These firewalls allow me to set a SYSLOG server address, Source Port and Destination Port (the latter two both set as 514). Along with a choice of UDP, TCP & TLS.

       

      I have previously had to perform a sensor tool upgrade to be able to get information from a similar firewall (Hirschmann Eagle 20 firewall) do I need to get a new tool update.

      I've attached the xml file used to update the LEM for the previous firewall, this is still installed but does not function with the new firewalls.

       

      lastly I have confirmed that the firewall SYSLOG functionality performs correctly by using a trial version on Kiwi which displayed the entries with no problems.

       

      any help or information is much appreciated.

       

      Thanks for reading,

      Lewis

        • Re: Configure LEM as a SYSLOG Server
          Lester Grant

          Did you go into the console and enable the flow?  It should be under the manager --> enableflow. 

            • Re: Configure LEM as a SYSLOG Server
              lenxe

              I've gone into the Console --> Advanced Configuration --> Service --> Enableflow and double check this is enabled.

              I'm still not receiving the syslog entries.

               

              Don't know if its relevant but I'm running Solarwinds LEM v5.4.0 within VMware ESXi 5.1.0.

               

              thanks for your help

                • Re: Configure LEM as a SYSLOG Server
                  familyofcrowes

                  You have to have a connector for the incoming logs.  SSH into the CMC and login.  type application and hit enter. then run "checklogs" to see which facility the data is coming from.  Then you need to create a connector in the GUI to read that data.  I don't know that FW, so you may have to try different connectors until you find the right one.  Set the connector for NDepth.  When you do a search make sure you are looking at raw logs by moving the little slide selector that is to the right of the time selector in Ndepth to the right.

                   

                  Or do what I did and open a ticket....  They are really good out there in Utah!

              • Re: Configure LEM as a SYSLOG Server
                Lester Grant

                Go to appliance --> checklogs and see which folder the logs are going to.  Then go into the web appliance and go to Manage --> Appliances --> Connectors.  See if there are Tofino Firewalls.  Go to that connector and click on the gear and select new.  Then configure the folder within the connector to the file location that the logs are being sent to.  Then you should see the logs within LEM.  Let me know if this helps. 

                1 of 1 people found this helpful
                • Re: Configure LEM as a SYSLOG Server
                  byrona

                  You can collect and store the raw (non-normalized) data in LEM for searching with nDepth.  Please check out the KB article HERE on how this can be configured.  I have done it and it works.

                  • Re: Configure LEM as a SYSLOG Server
                    lenxe

                    So looking at the logs I can see the FW entries in two folders

                     

                    [1]: Syslog Consolidated Log

                    &

                    [6]: User Log

                     

                    I'm making an educated guess that those folder locations are as follows?

                    /var/log/syslog

                    &

                    /var/log/user

                     

                    I've had a look at the connectors and they seem quite device specific, how close does the configured connector have to be?

                    Is it a matter of finding one which processes the syslog entry the best, or does it need to exactly match the format/structure of the syslog message for the messages to appear within the LEM interface.

                     

                    again thanks for the input.

                    Lewis.

                      • Re: Configure LEM as a SYSLOG Server
                        byrona

                        The connector is not only device specific, it's log specific.  It needs to be designed to parse the specific logs you are trying to get as that is required for normalization of the data.  If you want to use the connectors were applicable but also use LEM as a raw syslog server you can use the KB article I noted above.  If you are just looking for Syslog capabilities and don't need the SIEM/Correlation/Normalized Data capabilities then you might take a look at Kiwi Syslog

                        1 of 1 people found this helpful
                      • Re: Configure LEM as a SYSLOG Server
                        lenxe

                        Thanks for the help, tips and information. I think I'm going to have to find/write/beg for a connector.

                         

                        The LEM package has already been bought, I'm currently trying to integrate two new firewalls.

                        I need the logs in the Normalised environment to fire some configured rules which take actions on a local server.

                        Please correct me if im wrong.

                         

                         

                        Lewis

                        • Re: Configure LEM as a SYSLOG Server
                          lenxe

                          I know bumping is never good etiquette, but I'm still waiting on my support case to be answered if anybody is available i'd appreciate the help.

                          I have updated the connectors as of 17/07/2014.

                           

                          After running a Tool Maintenance by Alias I don't see any Alerts raised by the Tofino Firewall.

                          The alerts are appearing in the ‘syslog consolidated log’ [accessed via appliance > checklogs > 1 (Syslog consolidated log).]

                          I have attached an export of the above mentioned syslog, Also attached is a text file in which I have extracted some of the alerts and separated them on to new lines.


                          I'd be happy with just an Unmatched Data entry, with the information been held in the ExtraneousInfo Field.


                          Again I'd welcome any help i can get, getting very close to my deadline (august).

                          The case number is 597404 if you're a Solarwinds Employee.


                          Thanks

                          Lewis

                          • Re: Configure LEM as a SYSLOG Server
                            lenxe

                            Update:

                            I'm going to have to put my hands up and admit it was human error which caused the problem, I missed the new connector and was updating the old Hirschmann Firewall Connector. (I can only apply specific updates to the system so delete all but the required connector updates from the download.)

                             

                            Many thanks to Curtis who's had the patience to sort this out.

                             

                            Best regards

                            Lewis