Ask the Community
Groups
How do I configure syslog remote logging for a Untangle Firewall - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="this-article-provides-instruction-on-how-to-set-up-and-enable-syslog-forwarding-on-an-untangle-firewall">This article provides instruction on how to set up and enable Syslog forwarding on an Untangle firewall</h2> <h3 data-id="enable-syslog">Enable Syslog</h3> <ol><li>Go to <strong>Config > Events > Syslog</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/I8TPZW9JOTC1/syslog-disabled.jpg" alt="Syslog-Disabled.jpg" class="embedImage-img importedEmbed-img"></img></li> <li>Enable the "Enable Remote Syslog" option.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/IREWMZCZJIXF/syslog-enabled-default.jpg" alt="Syslog-Enabled-Default.jpg" class="embedImage-img importedEmbed-img"></img></li> <li>Configure the Syslog connection: <ul><li>Enter the IP Address of the RocketAgent running the Firewall Analyzer App</li> <li>Keep the default port and protocol (UDP 514)</li> </ul></li> </ol><h3 data-id="create-a-syslog-rule">Create a Syslog Rule</h3> <p>The default rule that is included when you first enable Syslog sends all data in all classes to the remote server. We recommend disabling or deleting the default rule and creating rules that send only the data that you want/need to the RocketAgent.</p> <ol><li>Click the <strong>Add</strong> button. You should get a window similar to the one shown below<img src="https://us.v-cdn.net/6032361/uploads/migrated/TH7CE9XEP06R/syslog-add-rule.jpg" alt="Syslog-Add-Rule.jpg" class="embedImage-img importedEmbed-img"></img></li> <li>Enter a description for the rule and then click the drop-down menu for <em>Class.</em><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/XMJP72SBWEAP/syslog-select-class.jpg" alt="Syslog-Select-Class.jpg" class="embedImage-img importedEmbed-img"></img></li> <li> <em>You can further limit the data sent by adding fields via the Add Field button and selecting the field you want to filter by:</em> <ul><li>Click the <strong>Add Field</strong> button<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/B9XXMIOBJ7IR/syslog-add-field.jpg" alt="Syslog-Add-Field.jpg" class="embedImage-img importedEmbed-img"></img></li> <li>Select the Filed you want to filter by and then fill in the rest of the filter conditions similar to below<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/KPOXYI7O50JV/syslog-config-field.jpg" alt="Syslog-Config-Field.jpg" class="embedImage-img importedEmbed-img"></img></li> </ul></li> <li>You can also set a threshold on the rule so it only triggers after a certain number of matching events occur:<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/WVO32Z88M2I0/syslog-thresholds.jpg" alt="Syslog-Thresholds.jpg" class="embedImage-img importedEmbed-img"></img></li> <li>Click <strong>Done</strong> in the bottom-right corner of the window and then click <strong>Save</strong> in the main window to apply your new rule.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/PVBQ723O2CBP/syslog-save.jpg" alt="Syslog-Save.jpg" class="embedImage-img importedEmbed-img"></img></li> </ol><p>We require you to create Syslog Event Rules for the following Event Classes In Untangle</p> <ul><li>VirusFtpEvent</li> <li>VirusHttpEvent</li> <li>VirusSmtpEvent</li> <li>AdminLoginEvent</li> <li>IntrusionPreventionLogEvent</li> <li>LoginEvent</li> <li>WebFilterEvent</li> <li>SessionEvent</li> <li>OpenVpnEvent</li> <li>OpenVpnStatusEvent</li> <li>TunnelVpnEvent</li> <li>VirtualUserEvent</li> <li>IpsecVpnEvent</li> <li>TunnelVpnStatusEvent</li> </ul><p>For a complete list of event classes please visit:</p> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwiki.untangle.com%2Findex.php%2FEvent_Definitions" rel="noopener nofollow">https://wiki.untangle.com/index.php/Event_Definitions</a></p> </article> </main>