Camilo Diaz 2 Posted December 12, 2018 Share Posted December 12, 2018 Hi Eset, We currently have Eset Security management Center v7.0.553.0, configured to send the logs the a syslog server. I've captured the traffic from the server and I can't see any outbound traffic going to my log server. A special rule to allow the traffic is configured in the Firewall. Any ideas? Thanks, Camilo Link to comment Share on other sites More sharing options...
Most Valued Members ewong 8 Posted December 12, 2018 Most Valued Members Share Posted December 12, 2018 Do you happen to have the outbound firewall rule on your server created? (Ditto with the inbound rule for your syslog server, which I'll assume you have). Link to comment Share on other sites More sharing options...
Camilo Diaz 2 Posted December 12, 2018 Author Share Posted December 12, 2018 (edited) 11 minutes ago, ewong said: Do you happen to have the outbound firewall rule on your server created? (Ditto with the inbound rule for your syslog server, which I'll assume you have). Yes, I have the outbound firewall rule on the server but from the traffic capture I can't see any traffic going to my syslog server at all. Server is Microsoft Windows Server 2012 R2 Edited December 12, 2018 by Camilo Diaz typo Link to comment Share on other sites More sharing options...
Most Valued Members ewong 8 Posted December 12, 2018 Most Valued Members Share Posted December 12, 2018 And by outbound firewall rule, you do need to specify the output port 514 (or whatever you have specified) and using UDP. Link to comment Share on other sites More sharing options...
Camilo Diaz 2 Posted December 12, 2018 Author Share Posted December 12, 2018 26 minutes ago, ewong said: And by outbound firewall rule, you do need to specify the output port 514 (or whatever you have specified) and using UDP. Yes, exactly that. UDP and port 514. The same config is set in the web console. Do you have this configured? Link to comment Share on other sites More sharing options...
Most Valued Members ewong 8 Posted December 12, 2018 Most Valued Members Share Posted December 12, 2018 I didn't have it configured; but I just set it up. Now I'm not entirely sure how to test this out. Link to comment Share on other sites More sharing options...
Camilo Diaz 2 Posted December 12, 2018 Author Share Posted December 12, 2018 27 minutes ago, ewong said: I didn't have it configured; but I just set it up. Now I'm not entirely sure how to test this out. You should receive the logs in your syslog server. Because I didn't receive it, I began investigating by analyzing the network traffic to see what was going on but I can't see any traffic generated from Eset server to my syslog server :(. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted December 12, 2018 ESET Staff Share Posted December 12, 2018 Just to be sure, there are two places in ESMC configuration you have to set in order send data to syslog server: Configure Syslog server (host, port, etc.) Enable exporting of logs into Syslog -> there are two setting, one to enable exporting, and second to specify format (LEEF, JSON). Once this is done, it can be tested by login/logou operations, which should be sent to syslog server and are easily reproducible... Link to comment Share on other sites More sharing options...
Camilo Diaz 2 Posted December 12, 2018 Author Share Posted December 12, 2018 So this is my config of syslog server: This is the config for Logging I thought this last config will leave a copy in \ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs\ ? If I set localhost as the host, where would the files be stored? Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted December 12, 2018 ESET Staff Share Posted December 12, 2018 (edited) 30 minutes ago, Camilo Diaz said: I thought this last config will leave a copy in \ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs\ ? Just "Trace log verbosity" affects trace.log files in mentioned directory. Those two remaining issues are enabling exporting of data to syslog. Actually data published to syslogs is completely different that entries in trace logs, so it might be confusing. 30 minutes ago, Camilo Diaz said: If I set localhost as the host, where would the files be stored? It was just an example from Linux environment, where it is commonly used to have local syslog server, configured to redirect messages to remote location. You configuration seems fine and I would expect there will be UDP packets sent to "logserver.domain.com". Please verify that your syslog is actually configured to accept such messages, or adapt changes in ESMC for your specific syslog server. There are variant that do accept only TCP connections, as it can handle longer messages. Edited December 12, 2018 by MartinK Link to comment Share on other sites More sharing options...
Camilo Diaz 2 Posted December 12, 2018 Author Share Posted December 12, 2018 1 hour ago, MartinK said: It was just an example from Linux environment, where it is commonly used to have local syslog server, configured to redirect messages to remote location. You configuration seems fine and I would expect there will be UDP packets sent to "logserver.domain.com". Please verify that your syslog is actually configured to accept such messages, or adapt changes in ESMC for your specific syslog server. There are variant that do accept only TCP connections, as it can handle longer messages. Ok, so for testing purposes I have set the server as localhost, that way I can send the JSON file to our syslog server. Do you know where those files are stored in Windows? Link to comment Share on other sites More sharing options...
Camilo Diaz 2 Posted December 13, 2018 Author Share Posted December 13, 2018 Ok so I just realized this won't work on a Windows server. I am pointing the syslog server to my PC running linux and I'll see if that makes a difference.... Link to comment Share on other sites More sharing options...
Most Valued Members ewong 8 Posted December 17, 2018 Most Valued Members Share Posted December 17, 2018 I don't understand why it won't work on a Windows server. I've had to put this on a backburner (for a bit) as I had fubar'd my setup and am needing to re-add the systems. Link to comment Share on other sites More sharing options...
Camilo Diaz 2 Posted January 7, 2019 Author Share Posted January 7, 2019 On 12/17/2018 at 2:46 PM, ewong said: I don't understand why it won't work on a Windows server. I've had to put this on a backburner (for a bit) as I had fubar'd my setup and am needing to re-add the systems. Windows uses Event Viewer. For using syslog, you need to set up a syslog server. Link to comment Share on other sites More sharing options...
Recommended Posts