Connect With Confidence Astaro Log Management Getting Started Guide About this Getting Started Guide To use Astaro Log Management, logs need to be transferred from individual systems to the cloud. This document describes the steps needed to transfer logs from various systems including Windows, Cisco, and Linux as well as how to enable Log Management on your existing Astaro Security Gateway. Contents Enabling Log Management... 2 Applying a License... 4 Using Log Management... 5 a) The Dashboard... 6 b) The Relational Browser... 7 c) Charts... 9 d) Events... 10 e) Devices... 12 f) Settings... 13 g) Reports... 15 h) Search... 16 How to forward logs... 17 a) Windows... 18 b) Linux... 20 c) Cisco... 20 Astaro GmbH & Co. KG a Sophos company Amalienbadstr. 41/Bau 52 76227 Karlsruhe T: +49 721 255 16 0 F: +49 721 255 16 200 www.astaro.com
Enabling Log Management Astaro Log Management is a service available to all Astaro Security Gateway customers. To enable Log Management on your Astaro Security Gateway, make sure you are running version 8.203 or above, and then open the WebAdmin user interface for managing the Security Gateway. On the left, you will see a menu. Click Log Management in the left menu, and click the Settings menu. Then click the Enable button at the top. 2
If this is the only Astaro Security Gateway in your organization, you can continue to the section labelled Using Log Management If you have multiple Astaro Security Gateways in your organization (branch offices, multiple gateways, dedicated mail security gateways etc.), enable Log Management as described above on one of the Security Gateways, and then make a note of the unique identification code and join code displayed in the interface once Log Management has been activated. On subsequent Astaro Security Gateways, simply provide these codes when you enable Log Management. This will ensure that all your logs are centrally collected and analysed across your devices, regardless of location. For instructions on how to apply a license and how to disable and enable devices for logging, please see the section Applying a License. 3
Applying a License A free trial license is automatically activated when you enable Log Management on an ASG. To install a full license, open WebAdmin and go to the Log Management menu. Choose the Settings submenu, and choose the License Status tab. From this page you can apply the license code as well as see the status of the current license. If you are sending log data from more devices than you have a license for, the Log Management system will stop receiving data from the devices that exceed your license limit. You can select which devices to receive data from by going to the Device menu in the Log Management portal. See more details in the section Devices. 4
Using Log Management As soon as Log Management has been enabled and activated, the WebAdmin interface will show a page like this: After the activation, all logs from your Astaro Security Gateway will automatically be analysed and stored. To send logs from other devices like servers, workstations, network devices etc., please follow the instructions in the chapter How to forward logs. You will be able to manage, search and view all your logs when following the link to the Log Management Portal in WebAdmin (see picture above). The following section will describe each feature in the Log Management portal and help you get started. 5
a) The Dashboard The Dashboard is an overview page. It shows you the last week s log volume in a graph as well as the most important events in a scrollable timeline. Clicking an event in the timeline opens the event details, while clicking any point on the graph will open the Charts page and zoom in on that particular time span. The Dashboard also offers two subpages search and relational browser. Search is simply a link to the central search function also accessible by clicking the search icon in the top right corner. See the Search chapter below for details. The Relational Browser provides a graphical way to navigate the relations between the most important events. It starts by showing you the Top devices. These are the devices that have reported the most events in the last 24 hours. 6
b) The Relational Browser Clicking one of the devices will show the top events sorted by priority from that device. Again, clicking the event enables you to see the variables identified within the event such as user names, IP addresses etc. 7
You can then click these variables to see other correlating events. This way, you can quickly see all the events that include for instance the IP address from the event you were concerned about. It is a very quick way to pivot around variables across systems. 8
c) Charts The Charts page shows log volumes over time. Using the drawers in the left, it is possible to filter the view. By selecting a single device (or several programs or applications) you can quickly get an overview of how the log volume changes over time for specific resources. Finding all the error logs for instance from the SQL server is just a few clicks away. Clicking the graph points means zooming in and redrawing the graph. Once you get to the minute level, clicking the graph will switch to the search view, which reveals all the logs represented by the graph. This view is also available at any time by clicking View Log Messages in the top right corner. 9
d) Events The Events tab reveals two views the event list and the Timeline. The Timeline is an expanded version of the one on the Dashboard. It is possible to drag the timeline in 3 depths hours, days, or months. Simply click on the graph and drag your mouse left or right. As with the Log Volume page, the drawers on the left will dynamically update the Timeline with the filters you specify. Clicking any of the events on the graph will show the logs represented by the event as well as allow for simple event tracking in a ticketing system. Events can be Accepted or Closed and will remain in the New category until an operator evaluates the event. Clicking the List tab shows the same events as in the Timeline, but in list form. The drawers for filtering are the same, and any changes to the drawers are carried over from the Timeline to the Event list. See an example below. 10
The list can be sorted by ID, time, Severity, Owner, or Status, and at any time it is possible to export the list to an XML file. It is also possible to search the list of events for specific keywords. Note that this is different from searching raw log messages. 11
e) Devices The Devices tab shows a list of all devices from which we have received log data. From here, the devices can be renamed (this is very useful for clarity in reporting, alerting, and events). It is also possible to see when the device sent logs for the first time (First Seen), when the latest log was received (Last Seen), adjust the time offset (to support multiple time zones) and to disable a device. Disabling a device is done by right clicking a device name. This will stop log processing for the device and free up a license for use by another device. Double-clicking the device reveals the live log viewer as seen here. This shows logs as they are coming in (in real-time) which is useful when troubleshooting a specific device or to check the flow of logs when setting up log forwarding. 12
f) Settings In the Settings menu, it is possible to define the rule set being used to analyse the logs, as well as setting up and managing users. The rules list lists all the available rules and shows whether they are active or disabled. By clicking a rule, you can edit the rule details, as well as change alerting options. You can choose to be alerted by email every time a rule is triggered, or have digests sent out every hour, 2 hours, 3 hours, 6 hours, 12 hours or daily. It is also possible to create new rules using a simple rule builder shown below. 13
Messages follow the operator AND or OR as chosen at the top, and you can add as many rule details as you wish. Other options in the Settings menu relates to user management. You can change your own user settings (email address etc.) as well as define when you want the weekly report. In the Admin Accounts page, you can set up new users (each can define their individual alerting settings, report settings etc) or manage existing users. Finally, it is from the Settings tab you download the Windows agent. See the next section for details on forwarding logs from Windows systems. 14
g) Reports Each user can receive a weekly summary report of recent activity by email. This is set up in the Settings tab for each user. Reports give an overview of all devices and events that have happened over the past week as opposed to alerts which alert you to specific events typically for single devices. However, it is also possible to request a report to be generated for any given date in the Reports tab. Simply select a date or select from the top predefined choices, and the report will be generated on the fly. The report is in PDF format and can be saved directly from this view. 15
h) Search Search allows you to search all the logs ever collected by the Log Management service. Full-text searching is available and works much like Google searching. Writing admin in the search field will reveal all log messages containing the word admin. Writing admin joe will find all logs containing both the word admin and the word joe. You can use the normal operators like - for excluding a word (so admin joe will find all logs containing admin but not joe ) and +. The date selector allows you to narrow your search to a specific date or time (default search window is 24 hours). If you do not change the end date, it is automatically updated to the current date and time. This allows you to search again and again without needing to update the end date to the current time. The drawers allow selection of meta data like Programs, Devices or Levels. As soon as a selection is made in the drawers (you can select multiple items in each drawer), the search results will automatically update to reflect the selections. You can export the search results to JSON or XML. If it is a long list, this could take some time as the complete log contents are exported. 16
How to forward logs Logs can be forwarded from almost any network device, including Windows systems, Linux, Unix, Mac OSX, AIX, Astaro Security Gateways, Cisco devices and many, many more. Enabling Log Forwarding on the ASG To send logs from local servers, workstations and network devices, log forwarding must be configured on the ASG. This will allow the ASG to receive logs from the internal network. In the Allowed networks configuration dialogue, add the networks from which client devices will connect to the ASG to deliver their logs. You can also change the port that the ASG listens on. The ASG will always listen on both TCP and UDP on the specified port. A packet filter will automatically be created which allows incoming connections from the networks listed in Allowed Networks on the specified port (both TCP and UDP). Sending logs to the ASG To set up log forwarding from client devices, it is often sufficient to check the device documentation to enable sending logs in the syslog format to a local server. The destination IP is the IP address of the ASG interface that the client is connected to. In this section, we highlight how to send logs from Windows devices, Linux servers, and some Cisco devices. 17
a) Windows Astaro provides a lightweight agent that can be installed on Windows systems to transfer all Windows Event Logs to Astaro Log Management. Almost all Windows versions are supported: Windows 2000 Professional, Windows XP, Windows Vista, Windows 7 (both 32 and 64bit) Windows 2000 Server, 2003 Server, 2003R2, 2008, 2008R2 in both 32bit and 64bit editions. The Windows agent can be downloaded from the Log Management portal which is accessible from the ASG WebAdmin interface. Go to Settings, Download and you can download the agent directly. To install the agent, double-click the executable file you downloaded. You will see this window: Click next. 18
This window will appear: Select the destination folder and press next. The agent will now be installed and you should see this screen: That is it. No configuration needed. You should now see logs coming in from your Windows system. To install it on another Windows machine, run the installer again. The client tries to connect to IP 1.2.3.4. Every ASG on the default route of the client with Log Management turned on and log forwarding enabled will pick up the connection and accept the log data. If the ASG is not on the default route you need to change that IP address, either by editing the registry entry at HKLM\SOFTWARE\Wow6432Node\Astaro\Log Management Client or by placing a configuration file in the installation path of the client and restarting. The configuration file is a text file called config.txt containing ip=<ip> and port=<tcp-port> (no spaces and each one on a separate line) and will be removed after writing this into the registry. 19
b) Linux From most Linux systems, you can follow these steps: - Edit /etc/syslog.conf and add this line: *.* @10.10.10.10:10101 (where 10.10.10.10 is replaced by the IP address of your ASG. This can be found in the WebAdmin for the ASG under Log Management. 10101 is the default port number and must be included. This port can be changed in WebAdmin). - Ensure that syslogd is running by adding these lines to /etc/rc.conf if they do not exist: syslogd_enable = "yes" syslogd_flags = "-s vv" - Restart syslogd: /etc/rc.d/syslogd restart For more details, please see your Linux distribution s documentation on how to send logs to a syslog server. c) Cisco Most Cisco switches, routers, IOS devices, and PIX firewalls can be configured using the steps below. SSH or telnet to your device and execute the following commands: config terminal logging timestamp logging host 10.10.10.10 transport tcp port 10101 (where 10.10.10.10 is replaced by the IP address of your ASG. This can be found in the WebAdmin for the ASG under Log Management). logging trap 6 logging on For Cisco VPN Concentrators, you have to use the user interface. Navigate to Configuration System Events Syslog Servers Click Add Enter IP address 10.10.10.10 (where 10.10.10.10 is replaced by the IP address of your ASG. This can be found in the WebAdmin for the ASG under Log Management) and port number 10101. Click Add 20
Navigate to Configuration System Events General Select Severity to Syslog and choose a value (1-5 recommended) Click Apply Click the Save Needed button For other devices, please consult your device documentation regarding syslog configuration. Contact Astaro Europe, Middle East, Africa The Americas Asia Pacific Japan Astaro GmbH & Co. KG Astaro Corporation Astaro Asia Astaro K.K. A Sophos company A Sophos company A Sophos company A Sophos company Amalienbadstr. 41/Bau 52 3 Van de Graaff Drive 8 Eu Tong Sen Street 22F Shibuya Mark City West 76227 Karlsruhe Burlington, MA 01803 #12-99, The Central 1-12-1 Dogenzaka Germany USA Singapore 059818 Shibuya-ku Tokyo 150-0043 T: +49 721 255 16 0 T: +1 781-494-5800 T: +65 6227 2700 T: +81-3-4360-5506 emea@astaro.com americas@astaro.com apac@astaro.com apac@astaro.com 21