While not perfect, you can get some IDPS alerts via Syslog via this procedure. It may just share signature_id info, not the actual signature name. You may also be successful subscribing to events via the Central Streaming API.
Firewall logs are coming with something included in the syslog config below:
logging system process flbwrap level informational
logging 192.168.2.50 format cef type user severity informational facility local5
logging 192.168.2.50 format cef type network severity informational facility local5
logging 192.168.2.50 format cef type security severity informational facility local5
logging 192.168.2.50 format cef type system severity informational facility local5
logging 192.168.2.50 format cef type wireless severity informational facility local5
logging 192.168.2.50 format cef type ap-debug severity informational facility local5
I don't know exactly which, but think it is system subprocess authmgr as that is how they arrive on my syslog server.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: May 24, 2024 08:17 AM
From: zweenig
Subject: Sending Firewall and IPS logs to a syslog server
I have been trying to send to my syslog server on here. We do not have a SIEM so I was trying to just get the logs over. I have tried sending all ISD/IPS logs with warn and alert. I know logs are getting to the syslog, because others I have sent from the device are making it. The same goes for the firewall logs.
Original Message:
Sent: May 24, 2024 02:51 AM
From: ariyap
Subject: Sending Firewall and IPS logs to a syslog server
from Global->Security-> Gateway IDS/IPS you can send threat events to SIEM server
Configure SIEM doco
and from here you can configure your SYSLOG servers
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: May 23, 2024 09:26 AM
From: zweenig
Subject: Sending Firewall and IPS logs to a syslog server
Hey All,
I have not been able to get this to work as of yet, and am checking to see if anyone else has. I am attempting to send firewall and IPS logs to an external syslog server from our Gateways. I have tried sending Security all, Security Firewall, and Security IDS and none of them seem to be sending logs.
Any help would be appreciated