topic Re: Audit Logs over Syslogs in General Topics

Audit Logs over Syslogs

LostBoY — Wed, 14 Apr 2021 16:47:35 GMT

I have a requirement where i need to forward logs from my R80.40 Gateway Cluster to Datadog.. this is being done by forwarding syslogs to an intermediate syslog server and from there syslogs are being forwarded to Datadog.

i tried doing this via log exporter but in datadog console and syslog server i only saw gateway name and message id .. no other infor was available so i went with conventional syslog integration

Post that ..In datadog i can see traffic logs in the form of traffic being allowed along with NAT translations but i cannot see any audit logs nor any traffic drop logs which are through the implicit deny rule.

My queries here are.

1) Does simple syslog integration with Mgmt server include audit logs ? does syslogs include auditlog info as well ?

2) Is log exporter the only way to forward audit log information ?

3) any reason i cannot see drop logs there ?

Re: Audit Logs over Syslogs

PhoneBoy — Wed, 14 Apr 2021 18:59:02 GMT

By “simple” you mean configure not using log_exporter: that only gives you operating system messages, not anything related to the security policy configuration.

Log exporter is the correct way to do it and, in the default configuration; it should forward audit and drop logs.
These can be filtered but they also may not be interpreted correctly by the destination.

More details about what you’ve done/configured would be helpful.
Can you see the relevant logs on the intermediate syslog server?

Re: Audit Logs over Syslogs

LostBoY — Thu, 15 Apr 2021 08:37:16 GMT

Thanks for the reply..

I tried log exporter first but i guess there was an issue with the interpretation as i only say gateway ID and a MessageID..no further info on the log messages ..just random IDs

Yes on the intermediate server i am able to see allowed logs and NAT Translation logs only..there are no audit or drop logs there...the same allow and NAT logs i am able to see in datadog console aswell.

By your second para..do you mean default config of log exporter will forward audit and drop logs or default syslog config can also do that ?

I created a syslog server object in smartconsole and pointed logs from each gateway to that server.

Re: Audit Logs over Syslogs

PhoneBoy — Thu, 15 Apr 2021 20:34:10 GMT

It sounds like you may not be exporting logs in the correct format.
Log exporter supports several different formats and it would help to know precisely how you configured it.

Exporting logs using a syslog server object in SmartConsole will not give you the result you expect.
That will only work for simple firewall rules, and won't log anything related to other blades (including App Control or other blades).
It will tell you nothing about audit logs either.
The only way to get audit logs is Log Exporter.

Re: Audit Logs over Syslogs

LostBoY — Fri, 16 Apr 2021 12:17:40 GMT

ok got it now that log exporter is the only way to export audit logs..

i used the following to configure log exporter

cp_log_export add name DDog target-server 192.168.100.110 target-port 514 protocol udp format syslog

but it didnt work out

Re: Audit Logs over Syslogs

PhoneBoy — Fri, 16 Apr 2021 16:21:38 GMT

I assumed you’ve not modified any of the configuration files?
In any case, the TAC is probably necessary here.