Security Management Server generates audit logs for the activities done on its Database such as,
1. Login / Logout
2. Object Manipulation (Create / Modify / Delete)
3. Publishing the Changes
4. Policy Installation
All the above activities are stored in $FWDIR/log/fw.adtlog file on Management Server Device.
This article provides a way to forward Audit logs from Management Server to an External Syslog Server.
1) Add the below line in the /etc/rc.d/init.d/cpboot for sending the Audit logs to /var/log/messages file,
fw log -f -t -n -l $FWDIR/log/fw.adtlog|logger -p local5.info -t CP_FireWall &
The original content of /etc/rc.d/init.d/cpboot is as shown below,
After making the changes the content of this file will be,
2) Reboot the Management Server for changes to take effect.
3) Provide the remote syslog server details on Management Server with the following command.
> add syslog log-remote-address <IP-address_of_Syslog_Server> level info
> save config
4) Now, generate some audit logs on the Management Server by, SmartDashboard Login / Logout / Object Manipulation / Publish / Installing the Policy.
Login / Logout Activity
1) Access the SmartDashboard with the username & password combination.
2) The audit log for the same on SmartDashboard Logs Section will be,
3) On Syslog Server, this activity can be seen as:
4) The same when a user logged out from the SmartDasboard:
Object Manipulation (Create) & Publish Activity
1) Here, I created a test network object, RK_Test_NW (192.168.17.0/24) in SmartDashboard and published the changes.
2) The audit log for the same can be seen as:
3) On Syslog Server this activity will be recorded as:
Policy Installation Activity
1) Installed the Firewall and Threat Prevention Policies on my gateway.
2) The audit logs for policy installation will be,
3) On Syslog Server this will be seen as:
Object Manipulation (Delete) & Publishing Changes
1) Deleted the test network object, RK_Test_NW which we created previously from the SmartDahboard and published the changes. The audit log for the same is,
2) The logs on Syslog Server will be,
For additional information, Feel free to write it in the comment’s section