CLI: Example for Sending Service Logs to a Third-Party Log Host Through the Information Center
This section provides an example for sending service logs to a third-party log host through the information center.
Networking Requirements
As shown in Figure 1, the FW connects to four third-party log servers.
The FW is required to send service logs to the third-party log servers to meet the following requirements:
- The FW sends all logs that are generated by the POLICY and IPS modules with the severity being Informational to Log server 1. Log server 3 functions as the backup log host of Log server 1.
- The FW sends all logs to Log server 2. Log server 4 functions as the backup log host of Log server 2.
Configuration Roadmap
This example provides only the FW configuration. For the third-party server configuration, see the third-party log server product document.
The system time must be set correctly during the initial configuration. Changing the system time during device running will result in incorrect timestamps in historical logs. The time zone of the log server must be the same as that of the FW.
- Set the IP addresses for interfaces and add the interfaces to security zones.
- Configure a security policy.
- Enable the information center.
- Name the information channel.
- Specify the modules from which logs are output.
- Configure log hosts.
Procedure
- Set the IP addresses for interfaces and add the interfaces to security zones.
# Configure an IP address for GE0/0/2.
<FW> system-view [FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ip address 172.16.0.1 24 [FW-GigabitEthernet 0/0/2] quit
# Add GE GE0/0/2 to the DMZ.
[FW] firewall zone dmz [FW-zone-dmz] add interface GigabitEthernet 0/0/2 [FW-zone-dmz] quit
- Configure a security policy.
# Configure a Local-DMZ interzone security policy.
[FW] security-policy [FW-policy-security] rule name local_dmz [FW-policy-security-rule-local_dmz] source-zone local [FW-policy-security-rule-local_dmz] destination-zone dmz [FW-policy-security-rule-local_dmz] destination-address 172.16.0.2 32 [FW-policy-security-rule-local_dmz] destination-address 172.16.0.3 32 [FW-policy-security-rule-local_dmz] destination-address 172.16.0.4 32 [FW-policy-security-rule-local_dmz] destination-address 172.16.0.5 32 [FW-policy-security-rule-local_dmz] action permit [FW-policy-security-rule-local_dmz] quit [FW-policy-security] quit
- Enable the information center.
[FW] info-center enable - Name the information channel.
[FW] info-center channel 6 name loghost1 - Specify the modules from which logs are output.
[FW] info-center source Policy channel loghost log level Informational [FW] info-center source IPS channel loghost log level Informational
By default, the information center sends logs of level 4 or lower (level 0 to level 4). If the logs are of a higher level, you need to adjust the log level by setting the levelseverity parameter, so that the logs can be sent. The levelInformational parameter is used as an example. That is, the log information center can send logs of level 6 or lower.
- Configure the log host.
# Configure Log server 1 as the master log server and Log server 3 as the backup log server to receive logs generated by the POLICY and IPS modules. Set the log language to English and use log recording tool Local2.
[FW] info-center loghost 172.16.0.2 channel loghost facility local2 language english [FW] info-center loghost 172.16.0.4 channel loghost facility local2 language english
# Configure Log server 2 as the master log server and Log server 4 as the backup log server. Set the log language to English and use log recording tool Local4.
[FW] info-center loghost 172.16.0.3 channel loghost1 facility local4 language english [FW] info-center loghost 172.16.0.5 channel loghost1 facility local4 language english
- Enable the function of sending service logs in syslog format.
[FW] undo dataflow enable - Enable the service functions of each module.
For details about how to configure intrusion prevention, attack event, and antivirus, see the configuration description of each service module.
Configuration Scripts
# sysname FW # info-center channel 6 name loghost1 info-center source Policy channel 2 log level Informational info-center source IPS channel 2 log level Informational info-center loghost 172.16.0.2 facility local2 info-center loghost 172.16.0.4 facility local2 info-center loghost 172.16.0.3 channel 6 facility local4 info-center loghost 172.16.0.5 channel 6 facility local4 # interface GigabitEthernet 0/0/2 undo shutdown ip address 172.16.0.1 255.255.255.0 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/2 # security-policy rule name local_dmz source-zone local destination-zone dmz destination-address 172.16.0.2 32 destination-address 172.16.0.3 32 destination-address 172.16.0.4 32 destination-address 172.16.0.5 32 action permit # return