SD-WAN

 View Only
last person joined: 8 hours ago 

Forum to discuss HPE Aruba EdgeConnect SD-WAN and SD-Branch solutions. This includes SD-WAN Orchestration WAN edge network functions - routing, security, zone-based firewall, segmentation and WAN optimization, micro-branch solutions, best practics, and third-party integrations. All things SD-WAN!
Expand all | Collapse all

Sending Firewall and IPS logs to a syslog server

This thread has been viewed 11 times
  • 1.  Sending Firewall and IPS logs to a syslog server

    Posted May 23, 2024 09:26 AM

    Hey All,

    I have not been able to get this to work as of yet, and am checking to see if anyone else has.  I am attempting to send firewall and IPS logs to an external syslog server from our Gateways.  I have tried sending Security all, Security Firewall, and Security IDS and none of them seem to be sending logs.

    Any help would be appreciated



  • 2.  RE: Sending Firewall and IPS logs to a syslog server

    EMPLOYEE
    Posted May 24, 2024 02:52 AM

    from Global->Security-> Gateway IDS/IPS you can send threat events to SIEM server

    Configure SIEM doco

    and from here you can configure your SYSLOG servers



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Sending Firewall and IPS logs to a syslog server

    Posted May 24, 2024 08:17 AM

    I have been trying to send to my syslog server on here.  We do not have a SIEM so I was trying to just get the logs over.  I have tried sending all ISD/IPS logs with warn and alert.  I know logs are getting to the syslog, because others I have sent from the device are making it.  The same goes for the firewall logs.




  • 4.  RE: Sending Firewall and IPS logs to a syslog server

    Posted May 28, 2024 10:09 AM

    While not perfect, you can get some IDPS alerts via Syslog via this procedure. It may just share signature_id info, not the actual signature name. You may also be successful subscribing to events via the Central Streaming API.

    Firewall logs are coming with something included in the syslog config below:

    logging system process flbwrap level informational
    logging 192.168.2.50 format cef type user severity informational facility local5
    logging 192.168.2.50 format cef type network severity informational facility local5
    logging 192.168.2.50 format cef type security severity informational facility local5
    logging 192.168.2.50 format cef type system severity informational facility local5
    logging 192.168.2.50 format cef type wireless severity informational facility local5
    logging 192.168.2.50 format cef type ap-debug severity informational facility local5

    I don't know exactly which, but think it is system subprocess authmgr as that is how they arrive on my syslog server.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------