Overview

Security Management Server generates audit logs for the activities done on its Database such as,

1. Login / Logout

2. Object Manipulation (Create / Modify / Delete)

3. Publishing the Changes

4. Policy Installation

All the above activities are stored in $FWDIR/log/fw.adtlog file on Management Server Device.

This article provides a way to forward Audit logs from Management Server to an External Syslog Server.

Procedure

1) Add the below line in the /etc/rc.d/init.d/cpboot for sending the Audit logs to /var/log/messages file,

fw log -f -t -n -l $FWDIR/log/fw.adtlog|logger -p local5.info -t CP_FireWall &

The original content of /etc/rc.d/init.d/cpboot is as shown below,

Image_1

 

 

After making the changes the content of this file will be,

Image_2

 

 

 2) Reboot the Management Server for changes to take effect.

3) Provide the remote syslog server details on Management Server with the following command.

> add syslog log-remote-address <IP-address_of_Syslog_Server> level info

> save config

Image_3

 

 

4) Now, generate some audit logs on the Management Server by, SmartDashboard Login / Logout / Object Manipulation / Publish / Installing the Policy.

Login / Logout Activity

1) Access the SmartDashboard with the username & password combination.

2) The audit log for the same on SmartDashboard Logs Section will be,

Image_4

 

 

Image_5

 

 

3) On Syslog Server, this activity can be seen as:

Image_6

 

 

4) The same when a user logged out from the SmartDasboard:

Image_7

 

 

Image_8

 

 

Object Manipulation (Create) & Publish Activity

1) Here, I created a test network object, RK_Test_NW (192.168.17.0/24) in SmartDashboard and published the changes.

Image_9

 

 

2) The audit log for the same can be seen as:

Image_10

 

 

Image-11

 

 

Image-12

 

 

3) On Syslog Server this activity will be recorded as:

Image-13

 

 

Policy Installation Activity

1) Installed the Firewall and Threat Prevention Policies on my gateway.

Image-14

 

 

2) The audit logs for policy installation will be,

Image-15

 

 

3) On Syslog Server this will be seen as:

Image-16

 

 

Object Manipulation (Delete) & Publishing Changes

1)  Deleted the test network object, RK_Test_NW which we created previously from the SmartDahboard and published the changes. The audit log for the same is,

 
 

Image-17

 

 

Image-18

 

 

Image-19

 

 

2) The logs on Syslog Server will be,

Image-20

 

 

For additional information, Feel free to write it in the comment’s section

 

Raghu K

Raghu K

Senior Network Security Engineer at QOS Technology
Raghu K

Latest posts by Raghu K (see all)

    Leave a Reply

    Be the First to Comment!

    Notify of
    avatar
    wpDiscuz