Webmin and Syslog on ERA 6.5

[whitelistCMD 1]

Hello,

I'm having issues getting the ERA to send syslog messages. There's nothing blocking the traffic in our network, so I've ruled that out. I followed the ERA admin guide for configuration in the ERA itself and have even tested different settings in the ERA syslog section to see if it would make an impact, but still no dice. I'm running ERA OVA 6.5 in vmware. I have the webmin interface enabled on the ERA. Does anyone know of anyway to validate within the webmin interface or through ssh to ERA, that the ERA is even sending syslog messages? Thanks in advance.

[MartinK 378]

Have you checked SERVER's trace log for errors? What type and how do you generate logs that you are expecting to be sent to syslog server?

[whitelistCMD 1]

I don't see any errors in the ERA trace log, but would be happy to send in a pm if you'd like. I've attached a picture of syslog config in ERA. Please see attached. Thanks.

[whitelistCMD 1]

I think I've discovered the problem. I need to test some more to be certain. Can you please explain the log verbosity levels? Does "Warning" include Information, Debug, and trace? I'm trying to decide on a level, but there's no clear answer on which setting covers which. Some say "this, plus above" and then Warning Is "Ciritcal Error Messages and Warnings". That's not entirely clear to me. So does Warning include Error and Critical and then above?  Information, Debug, and Trace? Is that included in Warning too? 

[MartinK 378]

Just to clarify, "Export to Syslog" functionality exports only specific threat-related logs sent from clients (see documentation) and not trace logs generated by ERA itself. Or did I misunderstand you?

And regarding severity of trace log: warning does not include lower severities (information, debug, trace), only the equal or higher severity (error, critical,...). Technically you are choosing minimal verbosity to be processed.

[whitelistCMD 1]

Hi Martin,

We're basically on the same page, minus the trace log. I only looked in the Trace Log to see if there were errors pertaining to why I couldn't get syslog working, but it is now. More to come on that later. My ultimate goal in this is to get as many Endpoint logs into our SIEM as possible. If I were wanting to do that, which logging verbosity level should I be setting on the ERA? So, Error is least amount of logging and Debug and Trace are the most? Will Trace include error logs? I hope this is making sense? Another way to put it, is which level of logging is the most all encompassing level, and which other levels of logging does that level include? 

Also, is there currently a way to export Web Control logs to a SIEM? Thanks again for the help.

[MartinK 378]

Now I understand. ERA exports only "Error", "Critical" and "Fatal" errors that are sent by security product. You cannot change this behavior in ERA -> it may be possible only in EES/EAV for specific events. For example if you see "read" entries in Threats view of Webconsole, those logs should be exported to syslog.

Could you try to set syslog server hostname intentionally to wrong value and check for errors in trace.log? At least you will have confirmation that something is happening.

Regarding severity configuration in ERA, if you set trace log severity to "Trace", it will trace everything.

 

 

[whitelistCMD 1]

Now I'm confused again. The logging to SIEM from ERA is currently working, I'm no longer concerned about getting logs to SIEM. I'm now trying to determine what logs will be sent to SIEM, and how to change which logs are sent based off of what trace log verbosity setting I choose? Does that make sense?

What I would like to do is get the logs from the Endpoints to the SIEM, which is currently working, but which logs will be sent there? Can I change this based off of the Trace Log Verbosity setting? If so, which setting should I choose to get the most all encompassing logs sent there? I have it set to Warning currently, but what is "warning" comprised of in regards to the other levels of logging. Will "warning" include warning itself, plus information, plus trace, plus debug? 

Again, the whole goal of this is to get as many logs of all types sent to our SIEM, and obviously in doing that, I want to know what is covered by each verbosity setting? This really should be more of linear option, and not as variant. If I have Web Control feature enabled on an Endpoint and the Endpoint is logging all blocked URL's, sending them to ERA which I can generate a report off of, I should be able to pipe those logs then from the ERA to a SIEM, along with other logs. If I need to clarify any part of this, please say so. Thanks.

[whitelistCMD 1]

Just to clarify, are you saying that the "Trace Log Verbosity" which I have set to "Warning" under Admin>Server Settings>Trace log verbosity does not impact which logs from Endpoints are sent when I have the "Export logs to syslog" option turned on? That may help answer some questions. If I turn on "Export logs to syslog" then all I'm going to get into SIEM is the predefined set of logs from Endpoints that are sent to ERA which I can find listed in the Threats Tab? If this is the case, I would like to request a clearer and more simplified logging option because how it is sent now is misleading. If turning on "export logs to syslog" which will send Endpoint logs to my SIEM, then I should see either A. All logs from Endpoint, or B. Have the option to choose which logs are sent from Endpoint with all the same options that are on the Endpoint. Also, Trace Log Verbosity should be grouped separately because its current placement is misleading. If I have the option to change Trace Log Verbosity for Server Trace Log, then please create separate section for Trace Log where I can easily define for both Server and Endpoints and then clearly state that this does not control Exporting of Endpoint feature logs. 

[MartinK 378]

1 hour ago, whitelistCMD said:

Just to clarify, are you saying that the "Trace Log Verbosity" which I have set to "Warning" under Admin>Server Settings>Trace log verbosity does not impact which logs from Endpoints are sent when I have the "Export logs to syslog" option turned on? That may help answer some questions. If I turn on "Export logs to syslog" then all I'm going to get into SIEM is the predefined set of logs from Endpoints that are sent to ERA which I can find listed in the Threats Tab?

Exactly as you wrote. ERA trace logging and its configuration is completely unrelated to logs export into SIEM.

Regarding design and usability, I am not sure why it has been done as it was - I guess market research showed it is sufficient. Maybe MichalJ will read this and will be able to provide more insight.

[whitelistCMD 1]

Thank you, Martin. I appreciate you seeing this through with me and making sure I understood correctly. Hopefully this can be addressed in the future. And also the ability to fetch an Endpoints trace log from ERA would be very helpful as well. Thanks again. I appreciate your time.