AFA Syslog messages

AFA generates Syslog messages for analysis performed, policy changes detected, as well as user login and logout events across ASMS.

Configure Syslog messages for AFA

Configure AFA Syslog message logging in the AFAAdministration area for each relevant device.

For example:

For more details, see Manage devices.

Back to top

Configure an external Syslog server for AFA messages

If, while defining Log Collection and Monitoring settings for your device, you add a remote Syslog server that's connected using the root user, AFA automatically performs the initial setup required.

However, if you want to collect logs from a Syslog server with a user other than root, you'll need to perform these steps yourself, or others if specified by your system.

Do the following:

  1. Log in to the syslog-ng server as user root.

  2. Run the following command:

    chmod o+x /home/<user>

  3. On the syslog-ng server, open the following file for editing: /etc/syslog-ng/syslog-ng.conf.

  4. Add the following line to the file:

    include "/home/<user>/algosec/syslog_processor/algosec_syslog-ng.conf";

    Where <user> is the name of the user connecting to the syslog-ng server.

    Note: This is the user name you configured in the SSH User Name or User Name field when you specified the syslog-ng server. For details, see AFA Syslog messages.

  5. Save your changes to the syslog-ng.conf file.

  6. In AFA, in the Syslog Server Settings dialog, click Test Connectivity to ensure that the connection works.

  7. Click OK and Finish to start the AFA installation process on the syslog-ng server.

  8. Restart the syslog-ng server configuration. Run the following command as user root:

    service syslog-ng restart

Your syslog-ng server is now ready to use with a user other than root.

Note: If the following message appears: Plugin module not found .. module='afsql', ensure that syslog server is installed and configured correctly.

Note: If you are working with a Check Point Eventia system, you must also install a plug-in before you can view AFA messages in Eventia. For more details, contact Check Point to obtain the plug-in.

Back to top

AFA syslog message syntax

AFA stores syslog messages locally, in the /var/log/message directory, in CEF (Common Event Format).

Each message starts with a standard syslog prefix, including the event date and time, and the AFA machine name. This prefix is followed by the CEF-standard, bar-delimited message format.

AFA syslog message headers have the following syntax:

CEF:0|AlgoSec|Firewall Analyzer|<AFA‑Version>|<Event>|<Event>|<Severity>|<Domain>|<Extension>

where:

  • <AFA‑Version> is the AFA version string. For example: v6.1-b55
  • <Event> items are readable text that designates the message type.
  • <Severity> is a number between 0-7 and varies by message.
  • <Domain> is the domain name or NONE, if domains are not enabled.
  • <Extension> items contain more details in a parameter=value format.

Back to top