Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

Audit Logs over Syslogs

I have a requirement where i need to forward logs from my R80.40 Gateway Cluster to Datadog.. this is being done by forwarding syslogs to an intermediate syslog server and from there syslogs are being forwarded to Datadog.

i tried doing this via log exporter but in datadog console and syslog server i only saw gateway name and message id .. no other infor was available so i went with conventional syslog integration

Post that ..In datadog i can see traffic logs in the form of traffic being allowed along with NAT translations but i cannot see any audit logs nor any traffic drop logs which are through the implicit deny rule.

 

My queries here are.

1) Does simple syslog integration with Mgmt server include audit logs ? does syslogs include auditlog info as well ?

2) Is log exporter the only way to forward audit log information ?

3) any reason i cannot see drop logs there ? 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

By “simple” you mean configure not using log_exporter: that only gives you operating system messages, not anything related to the security policy configuration.

Log exporter is the correct way to do it and, in the default configuration; it should forward audit and drop logs.
These can be filtered but they also may not be interpreted correctly by the destination.

More details about what you’ve done/configured would be helpful.
Can you see the relevant logs on the intermediate syslog server?

LostBoY
Advisor

Thanks for the reply..

I tried log exporter first but i guess there was an issue with the interpretation as i only say gateway ID and a MessageID..no further info on the log messages ..just random IDs

Yes on the intermediate server i am able to see allowed logs and NAT Translation logs only..there are no audit or drop logs there...the same allow and NAT logs i am able to see in datadog console aswell.

By your second para..do you mean default config of log exporter will forward audit and drop logs or default syslog config can also do that ?

I created a syslog server object in smartconsole and pointed logs from each gateway to that server.

 

0 Kudos
PhoneBoy
Admin
Admin

It sounds like you may not be exporting logs in the correct format.
Log exporter supports several different formats and it would help to know precisely how you configured it.

Exporting logs using a syslog server object in SmartConsole will not give you the result you expect.
That will only work for simple firewall rules, and won't log anything related to other blades (including App Control or other blades).
It will tell you nothing about audit logs either.
The only way to get audit logs is Log Exporter.

LostBoY
Advisor

ok got it now that log exporter is the only way to export audit logs..

i used the following to configure log exporter 

cp_log_export add name DDog target-server 192.168.100.110 target-port 514 protocol udp format syslog

but it didnt work out 

0 Kudos
PhoneBoy
Admin
Admin

I assumed you’ve not modified any of the configuration files?
In any case, the TAC is probably necessary here.

0 Kudos