topic Re: CP GW syslog configuration question in Firewall and Security Management

CP GW syslog configuration question

Herschel_Liang — Fri, 09 Sep 2022 12:33:31 GMT

YK-FW-A> show configuration syslog
add syslog log-remote-address 2.2.2.2 level all
set syslog filename /var/log/messages
set syslog cplogs on
set syslog mgmtauditlogs on
set syslog auditlog permanent
set syslog uncompressmessages off

YK-FW-A> show syslog all
Syslog Parameters:
Remote Address 2.2.2.2
Levels all
Auditlog permanent
Destination Log Filename /var/log/messages
YK-FW-A>

I can see GW written some logs into /var/log/message, but still can not find any GW syslogs written in the SMS /var/log/message file. Who can give me some ideas?

Re: CP GW syslog configuration question

PhoneBoy — Fri, 09 Sep 2022 12:43:37 GMT

“Accept Syslog Messages” means the SMS can be a target of syslog messages from other devices.
Those logs will not appear in /var/log/messages on the SMS but in with SmartView similar to Access/Threat Prevention.
Unless you have parsers written for the messages, they may not appear in a very useful format.

Please describe what your ultimate goal is.

Re: CP GW syslog configuration question

Herschel_Liang — Fri, 09 Sep 2022 12:51:04 GMT

YK-FW-A> show syslog all
Syslog Parameters:
Remote Address 2.2.2.2
Levels all
Auditlog permanent
Destination Log Filename /var/log/messages
YK-FW-A>

The ultimate goal is sending local GW system logs(like account log in/ log out) to the SMS and Syslog server storage.

Re: CP GW syslog configuration question

PhoneBoy — Fri, 09 Sep 2022 12:59:59 GMT

When you say “to the SMS” where precisely do you expect to see the syslog messages appear?
If you expect gateway syslogs to be sent to /var/log/messages on the SMS, that’s not how “Accept Syslog Messages” works and is probably not what you want.

What is precisely meant by “syslog server storage.”
That sounds like an external (not gateway, not SMS) device…what exactly is it?

Re: CP GW syslog configuration question

Herschel_Liang — Fri, 09 Sep 2022 13:24:25 GMT

When you say “to the SMS” where precisely do you expect to see the syslog messages appear?
----->Yes
If you expect gateway syslogs to be sent to /var/log/messages on the SMS, that’s not how “Accept Syslog Messages” works and is probably not what you want.
----->Oh, so where is“Accept Syslog Messages”used?
What is precisely meant by “syslog server storage.”
That sounds like an external (not gateway, not SMS) device…what exactly is it?
----->Yes, I mean an external device.

Re: CP GW syslog configuration question

PhoneBoy — Fri, 09 Sep 2022 19:18:39 GMT

Like I said, the logs will show in exactly the same place your Access and Threat Prevention logs will show, which is not /var/log/messages.
In my experience, the OS logs won’t appear to be very useful when viewed in SmartConsole/SmartView.
Possible they may be more useful if you write a parser for said logs, but we don’t provide one for that purpose by default.

If your goal is to collect the OS syslogs centrally, all devices should send their syslogs directly to your collector and not have them sent to your management.