Hi folks,
I've been trying to setup some Draytek 3900s to send their Syslogs to the PRTG Syslog Sensor. I can get most of the logs through, but it seems to be completely omitting the firewall logs for some reason.
I've tried both with the Syslog sensor setup on the probe device as a sort of catch-all, as well as directly on one of the router devices. I've also changed the Syslog port on one router to 515, mostly to isolate it from other traffic. I have also tried setting the Syslog settings on the Draytek to remote only and "both" (Remote and local), tried changing which entries are sent, but no matter what my PRTG server doesn't show the Firewall syslog entries.
The sensor itself is setup with just default settings, which to me seems to accept all syslogs so I'm at a bit of a loss. Has anyone managed to pickup Firewall syslogs from Drayteks using the PRTG syslog sensor?
Cheers! Sean
Article Comments
Apologies, having to reply from a different account as apparently I'm not remembering my password correctly and the password reset seems to just loop sending me an email, can't actually reset the password.
Yeah, the Draytek is actually sending out firewall stuff.
Our default Draytek Syslog configuration is as follows
https://i.imgur.com/65yuXHY.jpg
To verify the firewall entries were being sent, I changed the listening port of PRTG's Syslog to 515 and then loaded up Draytek's Syslog Utility on the same server, monitoring on port 514, as well as enabling the "User" and "Other" syslogs on the Draytek in order to generate more Syslog traffic. All Syslog entries on the Firewall also display in the Draytek Syslog Utility
Draytek - https://i.imgur.com/1iligJV.jpg
Syslog Util - https://i.imgur.com/OFkNNit.jpg
Then I closed the Syslog Util and reset PRTG back to port 514
PRTG Syslog Config - https://i.imgur.com/RtnVFFy.jpg
Draytek - https://i.imgur.com/uMgNT2U.jpg
PRTG - https://i.imgur.com/OREdTcp.jpg
As can be seen in the images, it almost looks as though PRTG is receiving the Firewall Syslogs, just in completely different format, but these are actually the "User" logs. The Draytek appears to omit these User entries if a corresponding Firewall entry is present. Perhaps part of the problem.
If I disable the "User" and "Other" logs, it becomes clear the Firewall entries aren't making their way through
Draytek - https://i.imgur.com/o0ZQbyC.jpg
PRTG - https://i.imgur.com/JkaEsmP.jpg
However PRTG will still receive entries for the WAN log and VPN log (when I have it enabled) just fine, only the Firewall ones that have problems...
Dec, 2020 - Permalink
Hello there,
Since this seems to be a rather complex issue here, I would ask you to open a support ticket, so we can take a closer look at this.
Of course you can still discuss this with other customers here in the KB.
Kind regards,
Birk Guttmann, Tech Support Team
Jan, 2021 - Permalink
Argh, now I feel silly. Issue was a result of human assumption. The syslog sensor's "Include" filter has a default value of "severity[0-6]" when the sensor is created. I assumed this default value would include everything and then allow me to filter out as required. No. Draytek Firewall syslog entries come through as severity level 7, so were simply excluded.
As advised by the support team, I removed the "include" rule all-together, so is now just blank, and everything is coming through, firewall logs and all!
Jan, 2021 - Permalink
That's weird - is it actually sending out firewall stuff from the draytek? Like, is there something you could configure to have it omit certain log files?
Dec, 2020 - Permalink