StoneBlog.stonesoft.com

One of the coolest new features of StoneGate Management Center 5.0 is the possibility of defining log profiles to receive syslog streams from 3rd party devices.

The great benefit of this functionality is to allow such log streams to participate in centralized log processing allowed by StoneGate Management Center as part of reports, alert escalation, geolocation, etc.

This post details how to create specific log profile to match the stream generated by a given IP device.

To create a logging profile, access to Monitoring section of StoneGate Configuration and expand the submenu Third Party Device – Logging Profile.

The following windows appear:

Let’s now create a Logging Profile for the following log stream example:

Please note that in this specific example the fourth log line is different in contents from the first three lines. This will be handled using different Log Patterns within the same Logging Profile.

On top left corner of General tab, click the New icon (or press CTRL+N) to create the first Log Pattern.

We need to add to the log pattern the first token, that is the element that maps a given prefix to a meaningful log field.

Select Log Pattern 1 and click Add to add the token.
From the tab Field Resolver on bottom left list click the New icon to add a field resolver.
Edit properties and select the field named Creation Time, then specify the date format for time information (for example, yyyy/MM/dd HH:mm:ss).
Here you can find additional information about time formats.

Drag and drop the Time Resolver field created to map it to StoneGate log field as shown below:

Now we’ll complete the mapping for the other “simpler” fields (source and destination addresses, source and destination ports).

Add four fields via the Add button and map them with proper fields, selected from Fields tab on bottom left corner of the interface as shown below:

We need now to create another Field Resolver field type to map the Action field, since it can assume different values (stop, allow) and we need to map these accordingly.
Create a new Field Resolver item and name it Action Resolver.
Select the Field to be Action and click the button Add twice to insert two Mapping entries.
Proceed to map value Allow to field Allow and value Stop to field Discard as shown below:

Then drag’n’drop the field Action Resolver  in the profile main window to add to the previous five.

We are also creating the field Information Message to insert everything else in the log entry. From tab Fields drag Information Message and drop it in main window.

Last, we need to set the field separator (Prefix) that helps the parser to identify fields.

In our example this prefix is the space, therefore click in Prefix cell beside every field (except the first) in Log Pattern 1 and type a space. It will be represented with a square as shown below:

We have completed the first Log Pattern. Remember that last line of the logs had less fields and in different order? Let’s then add another pattern.

Right click on Log Pattern 1 and select Duplicate. Then modify the field order to match the results below:

Finally, we can validate our mapping against the sample log file to see the correct matching. Click on tab Validation.
Browse to load the sample log file, load it and press Validate.

The integrated validation tool shows how the log data would appear in StoneGate Log Browser.

Click OK to create the Logging Profile. This Logging Profile is now ready to be associated in StoneGate Configuration to a 3rd Party device to start receiving logs.

Succeeded in trying with your preferred device? Please share your experience with us by sending your Logging Profile!

To export the Logging Profile right click on it and select Tools… – Export Elements.
Once you have the zip file containing the XML schema, send it to feedback@stonesoft.com together with a log data sample for validation and inclusion in StoneBlog Community page.

written by RoarinPenguin - 2,228 views \\ tags: 3rd party devices, log, profile