How to Configure Syslog policy to segregate App Firewall logs

How to Configure Syslog policy to segregate App Firewall logs

book

Article ID: CTX247887

calendar_today

Updated On:

Description

To redirect the App Firewall logs to a different log file, configure a syslog action to send the App Firewall logs to a different log facility (LOCAL2). Use this action when configuring the syslog policy, and bind it globally for use by App Firewall.

Instructions

Steps to follow:

1) Kill syslogd process using command killall syslogd
2) Modify the /etc/syslog.conf by including this line
#local2.*                                       /var/log/iprep.log
local2.*                                        /var/log/ns.appfw.log

Note: To persist the changes made to this file after reboot, copy the file to /nsconfig/ directory.

3) Create and bind syslog -policy/action as follows

add audit syslogAction locallog <NSIP> -logLevel ALL -logFacility LOCAL2
add audit syslogAction syslogsrv <external syslog server IP> -logLevel ALL
add audit syslogPolicy localpol ns_true locallog
add audit syslogPolicy syslogsrvPol ns_true syslogsrv
bind appfw global localpol 1
bind appfw global syslogsrvPol 2

4) Start the syslog server deamon from shell command: /usr/sbin/syslogd -a *:* -n -v -v -8 -C


Logs from ns.appfw.log:-
# tail -f ns.appfw.log
Mar 11 16:42:03 <local2.info> 10.x.x.x 03/11/2019:11:12:03 GMT XS-99 0-PPE-0 : default APPFW APPFW_COOKIE 73766 0 :  10.x.x.x 127175-PPE0 Jz4u5Dj/4G4eJ4yll830a7zzz+A0000 <appfwpol> http://10.x.x.x/admin_ui/rdx/core/css/chrome.png Cookie validation failed for is_cisco_platform <blocked>
Mar 11 16:42:03 <local2.info> 10.x.x.x 03/11/2019:11:12:03 GMT XS-99 0-PPE-0 : default APPFW APPFW_COOKIE 73767 0 :  10.x.x.x 127176-PPE0 Jz4u5Dj/4G4eJ4yll830a7zzz+A0000 <appfwpol> http://10.x.x.x/admin_ui/rdx/core/css/safari.png Cookie validation failed for startupapp <blocked>
Mar 11 16:42:03 <local2.info> 10.x.x.x 03/11/2019:11:12:03 GMT XS-99 0-PPE-0 : default APPFW APPFW_COOKIE 73768 0 :  10.x.x.x 127176-PPE0 Jz4u5Dj/4G4eJ4yll830a7zzz+A0000 <appfwpol> http://10.x.x.x/admin_ui/rdx/core/css/safari.png Cookie validation failed for is_cisco_platform <blocked>
Mar 11 16:42:03 <local2.info> 10.x.x.x 03/11/2019:11:12:03 GMT XS-99 0-PPE-0 : default APPFW APPFW_REFERER_HEADER 73769 0 :  10.x.x.x 127177-PPE0 Jz4u5Dj/4G4eJ4yll830a7zzz+A0000 <appfwpol> http://10.x.x.x/ Referer header check failed: referer header URL 'http://10.x.x.x/admin_ui/common/css/ns/ui.css' not in Start URL or closure list <blocked>
 

Powered by Wolken Software