Astaro Log Management
Getting Started Guide
GSG v1.2
About this Getting Started Guide
To use Astaro Log Management, logs need to be transferred from individual systems to the cloud. This document describes the steps needed to transfer logs from various systems including Windows, Cisco, and Linux as well as how to enable Log Management on your existing Astaro Security Gateway.
Contents
Enabling Log Management ... 2
Applying a License ... 4
Using Log Management ... 5
a)
The Dashboard ... 6
b)
The Relational Browser ... 7
c)
Charts ... 9
Enabling Log Management
Astaro Log Management is a service available to all Astaro Security Gateway customers.
To enable Log Management on your Astaro Security Gateway, make sure you are running version 8.203 or above, and then open the WebAdmin user interface for managing the Security Gateway.
If this is the only Astaro Security Gateway in your organization, you can continue to the section labelled Using Log Management
If you have multiple Astaro Security Gateways in your organization (branch offices, multiple gateways, dedicated mail security gateways etc.), enable Log Management as described above on one of the Security Gateways, and then make a note of the unique identification code and join code displayed in the interface once Log Management has been activated.
On subsequent Astaro Security Gateways, simply provide these codes when you enable Log Management. This will ensure that all your logs are centrally collected and analysed across your devices, regardless of location.
Applying a License
A free trial license is automatically activated when you enable Log Management on an ASG.
To install a full license, open WebAdmin and go to the Log Management menu. Choose the Settings submenu, and choose the License Status tab.
From this page you can apply the license code as well as see the status of the current license.
If you are sending log data from more devices than you have a license for, the Log Management system will stop receiving data from the devices that exceed your license limit.
Using Log Management
As soon as Log Management has been enabled and activated, the WebAdmin interface will show a page like this:
After the activation, all logs from your Astaro Security Gateway will automatically be analysed and stored. To send logs from other devices like servers, workstations, network devices etc., please follow the instructions in the chapter “How to forward logs”.
You will be able to manage, search and view all your logs when following the link to the Log Management Portal in WebAdmin (see picture above).
a) The Dashboard
The Dashboard is an overview page. It shows you the last week’s log volume in a graph as well as the most important events in a scrollable timeline.
Clicking an event in the timeline opens the event details, while clicking any point on the graph will open the Charts page and zoom in on that particular time span.
The Dashboard also offers two subpages – search and relational browser.
Search is simply a link to the central search function also accessible by clicking the search icon in the top right
corner.
See the Search chapter below for details.
The Relational Browser provides a graphical way to navigate the relations between the most important events.
b) The Relational Browser
You can then click these variables to see other correlating events. This way, you can quickly see all the events that include for instance the IP address from the event you were concerned about.
c) Charts
The Charts page shows log volumes over time. Using the drawers in the left, it is possible to filter the view. By selecting a single device (or several programs or applications) you can quickly get an overview of how the log volume changes over time for specific resources. Finding all the error logs for instance from the SQL server is just a few clicks away.
d) Events
The Events tab reveals two views – the event list and the Timeline. The Timeline is an expanded version of the one on the Dashboard.
It is possible to drag the timeline in 3 depths – hours, days, or months. Simply click on the graph and drag your mouse left or right.
As with the Log Volume page, the drawers on the left will dynamically update the Timeline with the filters you specify. Clicking any of the events on the graph will show the logs represented by the event as well as allow for simple event tracking in a ticketing system. Events can be Accepted or Closed and will remain in the “New” category until an operator evaluates the event.
The list can be sorted by ID, time, Severity, Owner, or Status, and at any time it is possible to export the list to an XML file.
e) Devices
The Devices tab shows a list of all devices from which we have received log data.
From here, the devices can be renamed (this is very useful for clarity in reporting, alerting, and events). It is also possible to see when the device sent logs for the first time (First Seen), when the latest log was received (Last Seen), adjust the time offset (to support multiple time zones) and to disable a device.
Disabling a device is done by right clicking a device name. This will stop log processing for the device and free up a license for use by another device.
f) Settings
In the Settings menu, it is possible to define the rule set being used to analyse the logs, as well as setting up and managing users.
The rules list lists all the available rules and shows whether they are active or disabled.
By clicking a rule, you can edit the rule details, as well as change alerting options.
You can choose to be alerted by email every time a rule is triggered, or have digests sent out every hour, 2 hours, 3 hours, 6 hours, 12 hours or daily.
Messages follow the operator AND or OR as chosen at the top, and you can add as many rule details as you wish.
Other options in the Settings menu relates to user management. You can change your own user settings (email address etc.) as well as define when you want the weekly report.
In the Admin Accounts page, you can set up new users (each can define their individual alerting settings, report settings etc) or manage existing users.
g) Reports
Each user can receive a weekly summary report of recent activity by email. This is set up in the Settings tab for each user.
Reports give an overview of all devices and events that have happened over the past week as opposed to alerts which alert you to specific events typically for single devices.
However, it is also possible to request a report to be generated for any given date in the Reports tab. Simply select a date or select from the top predefined choices, and the report will be generated on the fly.
h) Search
Search allows you to search all the logs ever collected by the Log Management service.
Full-text searching is available and works much like Google searching. Writing “admin” in the search field will reveal all log messages containing the word “admin”. Writing “admin joe” will find all logs containing both the word “admin” and the word “joe”.
You can use the normal operators like “-“ for excluding a word (so “admin –joe” will find all logs containing “admin” but not “joe”) and “+”.
The date selector allows you to narrow your search to a specific date or time (default search window is 24 hours). If you do not change the end date, it is automatically updated to the current date and time. This allows you to search again and again without needing to update the end date to the current time.
The drawers allow selection of meta data like Programs, Devices or Levels. As soon as a selection is made in the drawers (you can select multiple items in each drawer), the search results will automatically update to reflect the selections.
How to forward logs
Logs can be forwarded from almost any network device, including Windows systems, Linux, Unix, Mac OSX, AIX, Astaro Security Gateways, Cisco devices and many, many more.
Enabling Log Forwarding on the ASG
To send logs from local servers, workstations and network devices, log forwarding must be configured on the ASG. This will allow the ASG to receive logs from the internal network. In the “Allowed networks” configuration dialogue, add the networks from which client devices will connect to the ASG to deliver their logs. You can also change the port that the ASG listens on. The ASG will always listen on both TCP and UDP on the specified port.
a) Windows
Astaro provides a lightweight agent that can be installed on Windows systems to transfer all Windows Event Logs to Astaro Log Management.
Almost all Windows versions are supported:
Windows 2000 Professional, Windows XP, Windows Vista, Windows 7 (both 32 and 64bit) Windows 2000 Server, 2003 Server, 2003R2, 2008, 2008R2 in both 32bit and 64bit editions.
The Windows agent can be downloaded from the Log Management portal which is accessible from the ASG WebAdmin interface.
Go to “Settings”, “Download” and you can download the agent directly.
To install the agent, double-click the executable file you downloaded. You will see this window:
This window will appear:
Select the destination folder and press next.
The agent will now be installed and you should see this screen:
b) Linux
From most Linux systems, you can follow these steps:
- Edit /etc/syslog.conf and add this line:
*.* @10.10.10.10:10101 (where 10.10.10.10 is replaced by the IP address of your ASG. This can be found in the WebAdmin for the ASG under Log Management. 10101 is the default port number and must be included. This port can be changed in WebAdmin).
- Ensure that syslogd is running by adding these lines to /etc/rc.conf if they do not exist:
syslogd_enable = "yes" syslogd_flags = "-s –vv"
- Restart syslogd:
/etc/rc.d/syslogd restart
For more details, please see your Linux distribution’s documentation on how to send logs to a syslog server.
c) Cisco
Most Cisco switches, routers, IOS devices, and PIX firewalls can be configured using the steps below.
SSH or telnet to your device and execute the following commands:
config terminal logging timestamp
logging host 10.10.10.10 transport tcp port 10101 (where 10.10.10.10 is replaced by the IP address of your ASG. This can be found in the WebAdmin for the ASG under Log Management).
Navigate to “Configuration” “System” “Events” “General” Select Severity to Syslog and choose a value (1-5 recommended) Click Apply
Click the Save Needed button
For other devices, please consult your device documentation regarding syslog configuration.
Contact Astaro
Europe, Middle East, Africa
Astaro GmbH & Co. KG A Sophos company Amalienbadstr. 41/Bau 52 76227 Karlsruhe The Americas Astaro Corporation A Sophos company 3 Van de Graaff Drive Burlington, MA 01803
Asia
Astaro Asia A Sophos company 8 Eu Tong Sen Street #12-99, The Central
Pacific Japan
