Jump to content

ESMC7 - SYSLOG Server


Camilo Diaz
 Share

Recommended Posts

Hi Eset,
We currently have Eset Security management Center v7.0.553.0, configured to send the logs the a syslog server.
 
I've captured the traffic from the server and I can't see any outbound traffic going to my log server. A special rule to allow the traffic is configured in the Firewall.
 
Any ideas?
Thanks,
Camilo

 

 

Link to comment
Share on other sites

  • Most Valued Members

Do you happen to have the outbound firewall rule on your server created?  (Ditto with the inbound rule for your syslog server, which I'll assume you have).

Link to comment
Share on other sites

11 minutes ago, ewong said:

Do you happen to have the outbound firewall rule on your server created?  (Ditto with the inbound rule for your syslog server, which I'll assume you have).

Yes, I have the outbound firewall rule on the server but from the traffic capture I can't see any traffic going to my syslog server at all.

Server is Microsoft Windows Server 2012 R2

Edited by Camilo Diaz
typo
Link to comment
Share on other sites

  • Most Valued Members

And by outbound firewall rule,  you do need to specify the output port 514 (or whatever you have specified) and using UDP.

 

Link to comment
Share on other sites

26 minutes ago, ewong said:

And by outbound firewall rule,  you do need to specify the output port 514 (or whatever you have specified) and using UDP.

 

Yes, exactly that. UDP and port 514. The same config is set in the web console. Do you have this configured?

Link to comment
Share on other sites

  • Most Valued Members

I didn't have it configured; but I just set it up.   Now I'm not entirely sure how to test this out.

Link to comment
Share on other sites

27 minutes ago, ewong said:

I didn't have it configured; but I just set it up.   Now I'm not entirely sure how to test this out.

You should receive the logs in your syslog server. Because I didn't receive it, I began investigating by analyzing the network traffic to see what was going on but I can't see any traffic generated from Eset server to my syslog server :(.

 

Link to comment
Share on other sites

  • ESET Staff

Just to be sure, there are two places in ESMC configuration you have to set in order send data to syslog server:

  • Configure Syslog server (host, port, etc.)image.png
  • Enable exporting of logs into Syslog  -> there are two setting, one to enable exporting, and second to specify format (LEEF, JSON).image.png

Once this is done, it can be tested by login/logou operations, which should be sent to syslog server and are easily reproducible...

Link to comment
Share on other sites

So this is my config of syslog server:

syslogserver.png.37d8dbbe0e17df6c731c1850aebdf4b9.png

This is the config for Logging

logging.thumb.png.9ff7b76d3fa7f1f711be0ec73b6a1e94.png

I thought this last config will leave a copy in \ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs\ ?

 

If I set localhost as the host, where would the files be stored?

 

Link to comment
Share on other sites

  • ESET Staff
30 minutes ago, Camilo Diaz said:

I thought this last config will leave a copy in \ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs\ ?

Just "Trace log verbosity" affects trace.log files in mentioned directory. Those two remaining issues are enabling exporting of data to syslog. Actually data published to syslogs is completely different that entries in trace logs, so it might be confusing.

30 minutes ago, Camilo Diaz said:

If I set localhost as the host, where would the files be stored?

It was just an example from Linux environment, where it is commonly used to have local syslog server, configured to redirect messages to remote location. You configuration seems fine and I would expect there will be UDP packets sent to "logserver.domain.com". Please verify that your syslog is actually configured to accept such messages, or adapt changes in ESMC for your specific syslog server. There are variant that do accept only TCP connections, as it can handle longer messages.

Edited by MartinK
Link to comment
Share on other sites

1 hour ago, MartinK said:

It was just an example from Linux environment, where it is commonly used to have local syslog server, configured to redirect messages to remote location. You configuration seems fine and I would expect there will be UDP packets sent to "logserver.domain.com". Please verify that your syslog is actually configured to accept such messages, or adapt changes in ESMC for your specific syslog server. There are variant that do accept only TCP connections, as it can handle longer messages.

Ok, so for testing purposes I have set the server as localhost, that way I can send the JSON file to our syslog server. Do you know where those files are stored in Windows?

Link to comment
Share on other sites

  • Most Valued Members

I don't understand why it won't work on a Windows server.  I've had to put this on a backburner (for a bit) as I had fubar'd my setup and am needing to re-add the systems.

Link to comment
Share on other sites

  • 3 weeks later...
On 12/17/2018 at 2:46 PM, ewong said:

I don't understand why it won't work on a Windows server.  I've had to put this on a backburner (for a bit) as I had fubar'd my setup and am needing to re-add the systems.

Windows uses Event Viewer. For using syslog, you need to set up a syslog server.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...