Ad Widget

Collapse

Firewall Host/syslog question

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • monolithic
    Junior Member
    • May 2009
    • 21
    #1

    Firewall Host/syslog question

    Hey everyone,

    I thought I had this figured out but clearly I don't. I've been scouring the forums and the manual (printed out!) for the last week.

    I have managed to monitor my switches and servers in my disaster data center with no problem.

    Now I'm trying to monitor my firewall (watchguard X1000). It has the option of syslog and snmp traps.

    I haven't been using snmp traps yet but that is my next step. I've been fooling around with SNMP traps and testing and I managed to get it working however the things I want to monitor on the firewall are not coming through via SNMP. The interesting stuff is happening in the syslog, which users are vpnned in, DDOS attacks, etc.

    So basically I want to log this stuff under the firewall host that I have set up in zabbix, however the syslog is getting dumped into the zabbix server syslog and under the zabbix host.

    Is there anyway to break this out or have it point to my firewall host instead of the zabbix server, or is there an easier way to associate syslog files with a agentless host (the firewall)?

    Thanks in advanced, I really appreciate your help!
    Tags: None
    • xs-
      Senior Member
      Zabbix Certified Specialist
      • Dec 2007
      • 393
      #2
      We are doing a similar thing.

      I would advise something like this:
      - Central syslog server (syslog-ng or rsyslog)
      - Use SEC on the syslog server (log analyzer which can execute commands on certain patterns
      - Have SEC execute zabbix_sender messages for log entries which is finds interesting.

      This can be done for all devices and OS'es, without the risk of filling your zabbix database with useless syslog junk.

        Comment

        • monolithic
          Junior Member
          • May 2009
          • 21
          #3
          Thank you for replying. I'm currently trying to get SNMPtrapping working on zabbix and i'm going to use KiwiSyslog on our windows box and get all the firewall logs on there and have that send certain snmp traps on triggers that i set when it has certain information in the syslog files that it collects. Thank you for pointing me in that direction!!!

            Comment

            • tekknokrat
              Senior Member
              • Sep 2008
              • 140
              #4
              Originally posted by xs-
              This can be done for all devices and OS'es, without the risk of filling your zabbix database with useless syslog junk.
              Can you tell me some reasons why not directly have the epxressions in the log[ item?
              This way it also wouldn't junk zabbix database.

              Btw. thanks for mentioning SEC which sound like a more flexible alternative to buildin zabbix logwatch. Do you know if it supports to output the number of expression matches?
              Last edited by tekknokrat; 13-06-2009, 19:09.

                Comment

                • xs-
                  Senior Member
                  Zabbix Certified Specialist
                  • Dec 2007
                  • 393
                  #5
                  Ok you have a point there, but still.
                  Syslog (as in *.*) on most os'es produces a lot of junk (but policy dictates we store it all, yay) which can be quite a lot to handle as 'extra' load for a zabbix server.
                  IMO its better to filter important from junk first, and then pass to zabbix. It doesn't need to be perfect, just basic junk filtering. After that zabbix can do the finer grained filtering on a per item or template basis.

                  I dont know if SEC supports this, but i dont believe this is impossible

                    Comment

                    • tekknokrat
                      Senior Member
                      • Sep 2008
                      • 140
                      #6
                      Originally posted by xs-
                      Ok you have a point there, but still.
                      Syslog (as in *.*) on most os'es produces a lot of junk (but policy dictates we store it all, yay) which can be quite a lot to handle as 'extra' load for a zabbix server.
                      IMO its better to filter important from junk first, and then pass to zabbix. It doesn't need to be perfect, just basic junk filtering. After that zabbix can do the finer grained filtering on a per item or template basis.

                      I dont know if SEC supports this, but i dont believe this is impossible
                      I have just recognised issues with the performance of the agent - with using expression in the item here and switched to a SEC script which handles the logfile much better

                      Script I use is very simple but I want to control the conditional logic on zabbix side:
                      Code:
                      type=Single
ptype=RegExp
pattern=unsuccessful
desc=Logwatch
action=shellcmd /usr/bin/zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -k trap.matchSCG[unsuccessful] -o '$0'

... and so on

                        Comment

                        Previous template Next
                        Working...