How To Configure Syslog over VPN Applicable Version: 10.00 onwards Overview Cyberoam provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse. Once you have configured Cyberoam to send logs to external syslog server, Cyberoam forwards logs to syslog server in a specific format. Cyberoam UTM provides reporting module to clients via external syslog server as well via i-view software or any other third party Syslog Server. Syslog over VPN gives you the flexibility to have centralized reporting for all the branch offices at head office. It offers you the architecture for centralized reporting in a secure manner via VPN. Scenario Below given network diagram shows how Cyberoam is deployed in the network. The table below shows configuration parameters where the Syslog Server at the Head Office would receive syslogs from LAN of Branch Office: Branch Office Cyberoam WAN IP address- 192.168.20.178 Head Office Cyberoam WAN IP address- 192.168.20.111 LAN - 172.16.2.0 LAN - 172.16.1.0 Syslog Server - 172.16.1.5
Pre-requisites A Site-to-Site VPN Tunnel, for example SyslogoverVPN, needs to be configured between Head office and Branch office. Configuration Follow the steps mentioned below to configure Syslog over VPN in Cyberoam. You must be logged on to the Web Admin Console of Head Office (HO) Cyberoam as an administrator with Read-Write permission for relevant feature(s). Step 1:Configure Syslog Server Go to Logs & Reports > Configuration > Syslog Servers and click Add to add Syslog Server as per parameters below. Parameters Value Description Name Syslog Specify Unique name for syslog server IP Address 172.16.1.5 Specify IP address of the syslog server. Messages from the appliance will be sent to the server Port 514 Specify the port number for communication with the syslog server. Appliance will send messages using the configured port Default: 514 Facility DAEMON Select syslog facility for log messages to be send to the syslog server. Available Options: DAEMON - Daemon logs (Information of Services running in appliance as daemon) KERNEL Kernel log LOCAL0 LOCAL7 Log level information USER - Logging on the basis of users who are connected to Server Severity Level Debug Specify severity levels of logged messages. Severity level is the severity of the message that has been generated. Available Options: Format CyberoamStandard Format EMERGENCY - System is not usable ALERT - Action must be taken immediately CRITICAL - Critical condition ERROR - Error condition WARNING - Warning condition NOTICE - Normal but significant condition INFORMATION - Informational DEBUG - Debug - level messages Appliance produces logs in the specified format. Appliance currently produces logs in its own standard format.
Click OK to save syslog server. Step 2: Enable Syslog Once you add the server, configure logs to be sent to the syslog sever. Go to Logs & Reports > Configuration > Log Settings to configure logs to be sent to the syslog server. Multiple servers are configured and various logs can be sent on different servers. To record logs you must enable the respective log and specify logging location.
Step 3: Route Syslog traffic over IPSec Tunnel You need to forward the Syslog traffic of the Head Office Cyberoam over the IPSec VPN Tunnel. You can forward the traffic by following the steps given below. 1. Logon to CLI Console via Telnet or SSH. You can also access the CLI Console by clicking Console on the upper right corner of the Web Admin Console screen. Note: From firmware version 10.6.1 onwards, the Console button is visible to the Super Administrator ONLY. 2. Choose option 4. Cyberoam Console. 3. Execute the following commands to route traffic over IPSec tunnel: console> cyberoam ipsec_route add host 172.16.1.5 tunnelname syslogovervpn Where: Syslog Server IP 172.16.1.5 VPN Tunnel name SyslogoverVPN 4. Execute the following command to NAT Cyberoam generated traffic: console> set advanced-firewall cr-traffic-nat add destination 172.16.1.5 snatip 172.16.2.1 Where: Syslog Server IP 172.16.1.5 Interface (LAN Interface of Branch Office) 172.16.2.1 The configuration above sends Syslog traffic from the Head Office to Branch Office. Document version: 2.0-20 February, 2015