Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

ES 10.0.6, Syslog - you good bro?

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

I'am not really happy with the log management (even having a hard time calling it that) on the E-Mail Security Appliance, downloading logs for further analysis is a joke and no pleasure at all.

But there is syslog for centralized logging, the savior. #SIDENOTE - the developer of rsyslog just lives a few kilometres away from here, go rsyslog :)

And here ends my story abruptly, the ESA is just not sending anything to the syslog server, even having it at severity level SYSLOG_DEBUG, nothing, nada, nil.

Does anyone configured the ESA forwarding information to a syslog and what information can be expected? The option "send message details" sounded so compelling.

--Michael@BWC

Category: Email Security Appliances
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Apoligies but I need to bring this up again, anyone using syslog enabled on the ESA?

    --Michael@BWC

  • Halon5Halon5 Enthusiast ✭✭

    Hiya @BWC,

    We'll run up and advise.

    Best, S.

  • Halon5Halon5 Enthusiast ✭✭

    Just struggling with it.. Logging a ticket.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Thanks, wasn't planning to put that burden on you. Was looking for a simple answer like "You're doing it wrong", but it seems it isn't working out of the box.

    --Michael@BWC

  • Halon5Halon5 Enthusiast ✭✭

    Nah,.. it's all good I surely owe you one..

    I liked what I saw at RSYSLOG. I'm messing with GRAYLOG which looks interesting. I'm looking to maybe use something that gives us some better intuition.

    Have you taken any SIEM's for a spin? Are there any you like in particular?

    Steph.

  • Halon5Halon5 Enthusiast ✭✭

    Hey @BWC

    My case raised on this is with the back-end team so I'm guessing they know about it now at least ;) .


    Best, S.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Halon5

    oh this magic back-end team with all their wisdom, we'll see what they know about syslog. The back-end end for CaptureClient was giving me another task to scratch a CC (which went rogue) from my endpoint.

    Thanks for checking, would be nice to have it working as it supposed to do.

    --Michael@BWC

  • Halon5Halon5 Enthusiast ✭✭
    edited July 2020

    Hey @BWC There is zip coming out of that thing....

    I am talking to tech support right now..

    He had the same issue in his lab...

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Still no syslog in 10.0.7 if anyone wonders.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    While checking for segfaults in the messages log, I've found this entry for syslog-ng (a syslog daemon). Which shows that my own remote syslog server is accepted, but not used?

    Jul 20 17:20:32 esa syslog-ng[965]: Log statistics; processed='source(src)=7257', processed='destination(console_all)=0', processed='destination(dest_10.1.x.y)=3095', processed='destination(initd)=1', processed='destination(messages)=4162', processed='center(received)=7257', processed='center(queued)=7258', dropped='udp(AF_INET(10.1.x.y:514))=0' 

    Will check with syslog-ng documentation what that all means.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi all,

    I checked again, and it seems that with 10.0.7 a syslog record will be created for every successfully processed mail, this is fine, but I'am more interested in the problematic cases, like wrong protocol, wrong addresses etc.

    --Michael@BWC

Sign In or Register to comment.