Hello,
thank you for reading this. I am currently evaluating PRTG Network Monitor and happy how straight forward the application works, e.g. monitoring websites.
But one important requirement is the monitoring of several Ubiquiti USG-Pro-4 Firewalls I manage for several customers where I need to monitor especially the communication on the WAN Port.
The USG supports syslog, and in the past I used Splunk to analyze the logs, that worked quiet well, but I was missing a dedicated syslog server. How can I achive this with PRTG?
E.g.: with the following query I can get the number of "attacks" on the USG (the time period can be defined via the Splunk UI): source="/Volumes/Backup/messages" kernel "WAN_LOCAL-4000" | iplocation SRC | stats count as Total
I would really appreciate if someone can give me a hint in which way I have to go. Thanks, Florian
Article Comments
Thank you, I already noticed the syslog receiver sender and this is already working, I already collect the information from the USG. I have the problem that I do not know how to analyse the syslog entries and to create an alarm if certain things are happening.
Florian
Feb, 2018 - Permalink
Did you already check the warning/error filters? You can configure them to interpret certain received messages as such. In order to build a proper filter string, click Show Filters in the top right corner of the table. Then enter the values you want to alert upon in the fields. At the far left, there's Filter with a little gear next to it. It will show you the complete filter string you can use for the warning/error filter definition :)
Kind regards
Stephan Linke, Tech Support Team
Feb, 2018 - Permalink
Thank you for your help, but currently I do not know how to handle this.
For example: I want to get all syslog entries of port scanning attacks run against the USG. Each port scanning attack produces the following syslog entry:
[WAN_LOCAL-4000-D]IN=eth2 OUT= MAC=f0:9f:c2:10:6e:60:d0:6f:82:5e:92:45:08:00 SRC=178.199.26.36 DST=10.0.0.2 LEN=129 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=UDP SPT=57809 DPT=6889 LEN=109
- Every port scanning attack syslog entry starts with [WAN_LOCAL-4000-D]
- SRC defines the source of the attack
- DST the destination
- PROTO the protocol
- SPT the source port
- DPT the destination port
The first goal I want to achieve is to get an alarm if for example in one minute more than 100 [WAN_LOCAL-4000-D] syslog entries are sent by the USG. And it would be also great that that I can create my own live graph which counts the number of these syslog entries.
Currently I have a graph for drops, error, warnings and messages, for monitoring a firewall these are few information.
Edit:
In the meantime I was able to create the first syslog sensor which only collects the WAN_LOCAL-4000-D syslog entries, and if the number of entries per second exceeds a certain number a warning is created and later on an error. My problem was, that I have to think a different than I am used from Splunk.
But I have one question according to this topic:
Is it okay to create multiple syslog sensors or will this lead to performance issues. I have more than the USG which communicates via syslog.
Thanks, Florian
Mar, 2018 - Permalink
Florian, you can certainly have multiple Syslog Sensors listening to the same messages. The difference between having one with a very complex filter vs. several with each simple filters should not be that high.
Mar, 2018 - Permalink
Thank you for this information, therefore I have not to worry about creating multiple syslog receivers.
One last question and then I should be fine with the syslog topic in prtg: Is there a possiblity to access an external syslog server from PRTG? As far as I read in the knowledge base (https://helpdesk.paessler.com/en/support/solutions/articles/59970-export-syslog) there is no real possibility to analyse the syslog entries created by prtg with an external analyzing tool, like splunk because the syslog data are not accessable. But I I could use an external syslog server and prtg only reads the entries from there, this problem would be solved.
Thanks, Florian
Mar, 2018 - Permalink
Florian, I'm afraid though PRTG cannot read syslog messages from another syslog server.
Mar, 2018 - Permalink
Hi Florian,
Happy to hear that you like PRTG that far :) Check out the Syslog Receiver Sensor, which acts as a Syslog server within PRTG :) Although, it's not as fully featured as splunk may be.
Kind regards
Stephan Linke, Tech Support Team
Feb, 2018 - Permalink