Jump to content

Archived

This topic is now archived and is closed to further replies.

Camilo Diaz

ESMC7 - SYSLOG Server

Recommended Posts

Hi Eset,
We currently have Eset Security management Center v7.0.553.0, configured to send the logs the a syslog server.
 
I've captured the traffic from the server and I can't see any outbound traffic going to my log server. A special rule to allow the traffic is configured in the Firewall.
 
Any ideas?
Thanks,
Camilo

 

 

Share this post


Link to post
Share on other sites

Do you happen to have the outbound firewall rule on your server created?  (Ditto with the inbound rule for your syslog server, which I'll assume you have).

Share this post


Link to post
Share on other sites
11 minutes ago, ewong said:

Do you happen to have the outbound firewall rule on your server created?  (Ditto with the inbound rule for your syslog server, which I'll assume you have).

Yes, I have the outbound firewall rule on the server but from the traffic capture I can't see any traffic going to my syslog server at all.

Server is Microsoft Windows Server 2012 R2

Share this post


Link to post
Share on other sites

And by outbound firewall rule,  you do need to specify the output port 514 (or whatever you have specified) and using UDP.

 

Share this post


Link to post
Share on other sites
26 minutes ago, ewong said:

And by outbound firewall rule,  you do need to specify the output port 514 (or whatever you have specified) and using UDP.

 

Yes, exactly that. UDP and port 514. The same config is set in the web console. Do you have this configured?

Share this post


Link to post
Share on other sites

I didn't have it configured; but I just set it up.   Now I'm not entirely sure how to test this out.

Share this post


Link to post
Share on other sites
27 minutes ago, ewong said:

I didn't have it configured; but I just set it up.   Now I'm not entirely sure how to test this out.

You should receive the logs in your syslog server. Because I didn't receive it, I began investigating by analyzing the network traffic to see what was going on but I can't see any traffic generated from Eset server to my syslog server :(.

 

Share this post


Link to post
Share on other sites

Just to be sure, there are two places in ESMC configuration you have to set in order send data to syslog server:

  • Configure Syslog server (host, port, etc.)image.png
  • Enable exporting of logs into Syslog  -> there are two setting, one to enable exporting, and second to specify format (LEEF, JSON).image.png

Once this is done, it can be tested by login/logou operations, which should be sent to syslog server and are easily reproducible...

Share this post


Link to post
Share on other sites

So this is my config of syslog server:

syslogserver.png.37d8dbbe0e17df6c731c1850aebdf4b9.png

This is the config for Logging

logging.thumb.png.9ff7b76d3fa7f1f711be0ec73b6a1e94.png

I thought this last config will leave a copy in \ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs\ ?

 

If I set localhost as the host, where would the files be stored?

 

Share this post


Link to post
Share on other sites
30 minutes ago, Camilo Diaz said:

I thought this last config will leave a copy in \ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs\ ?

Just "Trace log verbosity" affects trace.log files in mentioned directory. Those two remaining issues are enabling exporting of data to syslog. Actually data published to syslogs is completely different that entries in trace logs, so it might be confusing.

30 minutes ago, Camilo Diaz said:

If I set localhost as the host, where would the files be stored?

It was just an example from Linux environment, where it is commonly used to have local syslog server, configured to redirect messages to remote location. You configuration seems fine and I would expect there will be UDP packets sent to "logserver.domain.com". Please verify that your syslog is actually configured to accept such messages, or adapt changes in ESMC for your specific syslog server. There are variant that do accept only TCP connections, as it can handle longer messages.

Share this post


Link to post
Share on other sites
1 hour ago, MartinK said:

It was just an example from Linux environment, where it is commonly used to have local syslog server, configured to redirect messages to remote location. You configuration seems fine and I would expect there will be UDP packets sent to "logserver.domain.com". Please verify that your syslog is actually configured to accept such messages, or adapt changes in ESMC for your specific syslog server. There are variant that do accept only TCP connections, as it can handle longer messages.

Ok, so for testing purposes I have set the server as localhost, that way I can send the JSON file to our syslog server. Do you know where those files are stored in Windows?

Share this post


Link to post
Share on other sites

Ok so I just realized this won't work on a Windows server.

I am pointing the syslog server to my  PC  running linux and I'll see if that makes a difference....

Share this post


Link to post
Share on other sites

I don't understand why it won't work on a Windows server.  I've had to put this on a backburner (for a bit) as I had fubar'd my setup and am needing to re-add the systems.

Share this post


Link to post
Share on other sites
On 12/17/2018 at 2:46 PM, ewong said:

I don't understand why it won't work on a Windows server.  I've had to put this on a backburner (for a bit) as I had fubar'd my setup and am needing to re-add the systems.

Windows uses Event Viewer. For using syslog, you need to set up a syslog server.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...