読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

Fortigate-80CのログをDebian Wheezyのrsyslogに転送してみる。

■Fortigate-80CのログをDebian Wheezyのrsyslogに転送してみる。

 本来はFortiAnalyzerにログ転送した方が色々出来て楽。
 ただ、自宅NGFWにそこまで出来ないのでrsyslogdにログ転送で代用する。

■Debian WheezyのrsyslogのUDP待ち受けを有効にする。

$ dpkg -l rsyslog | grep ^ii > /dev/null 2>&1 && \
    dpkg -L rsyslog | grep /etc/.*conf
/etc/rsyslog.conf

$ grep -i udp /etc/rsyslog.conf
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

$ sudo /etc/init.d/rsyslog restart && netstat -an | grep :514
[ ok ] Stopping enhanced syslogd: rsyslogd.
[ ok ] Starting enhanced syslogd: rsyslogd.
udp        0      0 0.0.0.0:514             0.0.0.0:*
udp6       0      0 :::514                  :::*

■余談ながら、IPv4に制限する。

$ man rsyslogd | grep v4 | sed s/"\. "/"&\n\t"/g
       -4     Causes  rsyslogd  to  listen  to  IPv4  addresses only. 
	 If neither -4 nor -6 is given, rsyslogd listens to all configured

$ grep -v "^\$\|^#" /etc/default/rsyslog 
RSYSLOGD_OPTIONS="-c5 -4"

$  sudo /etc/init.d/rsyslog restart && netstat -an | grep :514
[ ok ] Stopping enhanced syslogd: rsyslogd.
[ ok ] Starting enhanced syslogd: rsyslogd.
udp        0      0 0.0.0.0:514             0.0.0.0:*

■syslogを有効にする出力する。
 syslogサーバのIPと送信元IPを入力すれば必要なコンフィグを出すという簡易仕様。

$ w3m -dump \
    "https://raw.githubusercontent.com/labunix/fortigate-80c-settings/master/FGT_enable_syslog.sh" \
    > FGT_enable_syslog.sh; \
    chmod +x FGT_enable_syslog.sh

$ ./FGT_enable_syslog.sh 
input syslog server IP, default IP is [172.31.31.254]

input source IP address, default IP is [172.31.31.251


show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting

config log syslogd setting
    set status enable
    set server 172.31.31.254
    set facility syslog
    set source-ip 172.31.31.251
end

show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting

■syslogを無効にするconfigを出力する。
 これは単に1つ目のsyslogサーバの設定を無効にしているだけ。
 実行時のログは残しておきましょう。

$ w3m -dump \
    "https://raw.githubusercontent.com/labunix/fortigate-80c-settings/master/FGT_disable_syslog.sh" \
    > FGT_disable_syslog.sh; \
    chmod +x FGT_disable_syslog.sh

■デフォルト無効から、syslogを有効に設定した時の出力

$ echo 'show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting

config log syslogd setting
    set status enable
    set server 172.31.31.254
    set facility syslog
    set source-ip 172.31.31.251
end                     
                       
show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting
' | ssh -T admin@172.31.31.251 | sed s/".* # "//g | grep -v "^\$"
admin@172.31.31.251s password: 
config log syslogd setting
    set status disable
end
config log syslogd setting
end
status              : disable 
config log syslogd setting
    set status enable
    set server "172.31.31.254"
    set reliable disable
    set port 514
    set csv disable
    set facility syslog
    set source-ip 172.31.31.251
end
config log syslogd setting
    set status enable
    set server "172.31.31.254"
    set facility syslog
    set source-ip 172.31.31.251
end
status              : enable 
server              : 172.31.31.254 
reliable            : disable 
port                : 514
csv                 : disable 
facility            : syslog 
source-ip           : 172.31.31.251

■有効にしたsyslog設定を無効に戻した時の出力

$ echo 'show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting

config log syslogd setting
    set status disable
end                         
                       
show full-configuration log syslogd setting
show log syslogd setting
get log syslogd setting
' | ssh -T admin@172.31.31.251 | sed s/".* # "//g | grep -v "^\$"
admin@172.31.31.251s password: 
config log syslogd setting
    set status enable
    set server "172.31.31.254"
    set reliable disable
    set port 514
    set csv disable
    set facility syslog
    set source-ip 172.31.31.251
end
config log syslogd setting
    set status enable
    set server "172.31.31.254"
    set facility syslog
    set source-ip 172.31.31.251
end
status              : enable 
server              : 172.31.31.254 
reliable            : disable 
port                : 514
csv                 : disable 
facility            : syslog 
source-ip           : 172.31.31.251
config log syslogd setting
    set status disable
end
config log syslogd setting
end
status              : disable 

■Debian Wheezy側でsyslog転送ログを確認
 SNMPとWeb管理画面のログ

$ sudo grep devname= /var/log/syslog | grep "SNMP\|https" | tail -2 | \
    sed s/"devid=[A-Z0-9]* "/"devid=FGT80CXXXXXXXXXXXX\n "/g | sed s/" srcip=\| policyid=\| app=\| action="/"\n&"/g
Feb 26 22:58:17 172.31.31.251 date=2015-02-26 time=22:58:17 devname=FGT-UTM devid=FGT80CXXXXXXXXXXXX
 logid=0001000014 type=traffic subtype=local level=notice vd=root
 srcip=172.31.31.251 srcport=162 srcintf=unknown-0 dstip=172.31.31.254 dstport=162 dstintf="internal" sessionid=309 status=accept
 policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=SNMP proto=17
 app=SNMP duration=548 sentbyte=1670 rcvdbyte=0 sentpkt=20 rcvdpkt=0
Feb 26 23:00:40 172.31.31.251 date=2015-02-26 time=23:00:40 devname=FGT-UTM devid=FGT80CXXXXXXXXXXXX
 logid=0100032003 type=event subtype=system level=information vd="root" user="admin" ui=https(172.31.31.254)
 action=logout status=success duration=301 reason=timeout msg="Administrator admin timed out on https(172.31.31.254)"

■「fromhost-ip」で絞るだけの設定をしたので、rsyslog.confに以下を追加。

$ grep -A 1 Fortigate /etc/rsyslog.conf
:fromhost-ip, isequal, "172.31.31.251" /var/log/Fortigate-80C.log
& ~

$ sudo /etc/init.d/rsyslog restart && netstat -an | grep :514
[ ok ] Stopping enhanced syslogd: rsyslogd.
[ ok ] Starting enhanced syslogd: rsyslogd.
udp        0      0 0.0.0.0:514             0.0.0.0:*

■欲しい場所「/var/log//Fortigate-80C.log」にログを出力。

$ sudo grep devname= /var/log//Fortigate-80C.log | grep "SNMP\|https" | tail -2 | \
    sed s/"devid=[A-Z0-9]* "/"devid=FGT80CXXXXXXXXXXXX\n "/g | sed s/" srcip=\| policyid=\| app=\| action="/"\n&"/g
Feb 26 23:05:14 172.31.31.251 date=2015-02-26 time=23:05:14 devname=FGT-UTM devid=FGT80CXXXXXXXXXXXX
 logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=https(172.31.31.254)
 action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from https(172.31.31.254)"
Feb 26 23:10:16 172.31.31.251 date=2015-02-26 time=23:10:16 devname=FGT-UTM devid=FGT80CXXXXXXXXXXXX
 logid=0100032003 type=event subtype=system level=information vd="root" user="admin" ui=https(172.31.31.254)
 action=logout status=success duration=302 reason=timeout msg="Administrator admin timed out on https(172.31.31.254)"

■以下のコマンドで「/var/log/syslog」には出力されず、
 「/var/log/Fortigate-80C.log」には出力されることを確認。
 Web管理画面にログインすればすぐにログに出ます。

$ watch -d -n 1 '\
  echo "#syslog";sudo tail -1 /var/log/syslog ; \
  echo "#fortilog";sudo tail -1 /var/log/Fortigate-80C.log '