Jump to content


Photo

howto include IPS alerts in syslog stream

seim log ips

  • Please log in to reply
5 replies to this topic

#1 Jason Bartlett

Jason Bartlett
  • Members
  • 1 posts

Posted 14 February 2017 - 04:31 PM

We have an external log collector and i have configured the Barracuda to send all logs to an external syslog server in the syslog streaming settings (all for everything).  I see normal log data such as firewall accept/denies on our log server but I dont see the IPS alerts. I grabbed a packet capture to the syslog server on the firewall console and generated a portscan which generated a “IPS Warning (TCPIP Port or IP Address Scan) ID = 5000002 severity=3” event on the Threat Scan tab and saw the equivalent event on the event tab showing layer 3 (boxfw) class 3 (fireall) type 4000 (FW Port Scan Detected) but we did not see this event on the log collector  and the event was not in the packet capture.   Any thoughts on why that didn’t go out the syslog stream?

 

Thanks for any help!

 

Jason



#2 Rubydraper

Rubydraper
  • Members
  • 1 posts
  • LocationUK

Posted 20 February 2017 - 01:44 AM

I too have this problem and may be because of my lack of knowledge and it is not known to me. So anyone could please provide the answer on how to include the ips alerts in syslog stream. It will be helpful that if anyone help us.



#3 Irenejacob

Irenejacob
  • Members
  • 1 posts
  • LocationLondon

Posted 22 February 2017 - 01:28 AM

I am also intersted in IPS alert system, I need to include it in my system, but the problem in I don't know how to include it,Please help me along with providing more idea about it 



#4 smith789

smith789
  • Members
  • 1 posts

Posted 28 September 2018 - 12:05 PM

Thank you for the information



#5 bean545

bean545
  • Members
  • 1 posts

Posted 04 January 2019 - 01:08 AM

I have also faced this issue.



#6 Bernhard Patsch

Bernhard Patsch
  • Barracuda Team Members
  • 119 posts

Posted 04 January 2019 - 09:30 AM

Hello,

 

this question relates to the CloudGen Firewall only.

Please post further questions on this topic to the product specific forum. Our product experts are more active there and there's a higher chance to get an answer. 

 

The Port Scan event ends up in the generic Firewall log. To stream the appropriate log file, open the Syslog Streaming configuration and create a new "Logdata Filter".

In the section "Affected Box Logdata", use "Selection" and add a new entry below. In this entry, use "Firewall-All" and filter for "Security" types.

You can then save the new Logdata filter.

 

Finally you need to add that filter to the Logdata Stream, so the Firewall knows where to send the stream to.

 

In case you have problems setting up the log streaming, please call our support team.

 

Regards

Bernhard