How can I tell if firewall is connected to the Firewall log analyzer app?
To check if firewall syslog traffic is reaching the syslog server.
1. Navigate to Organization Settings.
2. Navigate to Details and Settings tab > Agent Verbosity section. Change the drop down to Debug then scroll to bottom of the page to save.
3. Restart the Rocketagent in services
4. Access the syslog server machine and navigate to c:\programfiles\rocketagent\logs\syslogsvr file
5. Search for "raw syslog" in the text file. There should be successful binding messages and then entries that identify the firewall and it will register in the RocketCyber portal.
ex.
[2023-01-06][11:30:21][00:00:29] [info] syslogsvr: Binding successful, waiting for log messages on 192.168.1.10:540
[2023-01-06][11:30:21][00:00:29] [debug] syslogsvr: mac_address in send_arp_request is XX:XX:XX:XX:XX:XX
[2023-01-06][11:30:21][00:00:29] [debug] syslogsvr: raw_syslog: <30>device="ABC" date=2023-01-06 time=11:30:25 timezone="EST" .........
[2023-01-06][11:30:21][00:00:29] [debug] syslogsvr: determined is a sophos firewall
[2023-01-06][11:30:21][00:00:29] [debug] syslogsvr: sophos format is sophos_xg
[2023-01-06][11:30:21][00:00:29] [debug] syslogsvr: should_register_firewall - first device allow registration
If the log only reflects "waiting for log messages " and raw syslog traffic does not follow then check the configuration in the firewall to verify setup to send traffic to the syslog machine.
Example:
[info] syslogsvr: Binding successful, waiting for log messages on 192.168.xxxx.xxx:514
For each firewall brand there are a specific set of security events that will populate into the app. Other events not listed are filtered.
If there are events listed that have occurred then check the configuration settings under Syslog Configuration tab. Change the reporting priority lower and increase the max daily results.
Common Problems
- Host-based firewall blocking incoming traffic on the machine. By default, the Firewall Analyzer will configure the Windows Firewall to allow inbound Syslog traffic on the configured ports and protocols. You can verify the rule was created properly by opening the Windows Firewall, Clicking on Advanced, and looking for a rule named RocketCyber Syslog Allow. If you are using another endpoint security product that has a host-based firewall you will need to manually configure it to allow inbound traffic on the configured port and protocol.
- Accidentally putting the Firewall's IP instead of the monitoring device's IP
- Not adding a Syslog forwarding rule on the firewall to send the logs to the Firewall Analyzer
- By default, our filtering removes informational messages that do not require any action on your part. If you want to verify that everything works, try going to the configuration menu and changing the Don't Report Events Lower Than This Priority setting to Info
- If you are using a firewall that allows you to configure the severity level of Syslog events being sent, set severity to info
- If needed, try restarting the agent
One exception to filtering at the severity level is IP Reputation Lookup. Traffic from malicious IPs will display even though it has an Info priority level. This setting can be turned off under the tab for the brand of firewall and toggling to "OFF" - IP reputation lookup