CLI: Example for Sending Syslogs in the Default or MTN Format to a Third-Party Log Host
This section provides an example for outputting customized syslogs to a third-party log host through the CLI.
Networking Requirements
As shown in Figure 1, the FW is deployed on the network border. The network environment is as follows:
- The intranet is the Trust zone, while the Internet is the Untrust zone. Users on the intranet access the Internet using the NAT function provided by the FW.
- The DMZ has two eLog servers.
The FW is required to send session information generated when intranet users access the Internet to the eLog servers in the Binary format. The administrator can view and analyze session information on the eLog servers. The log concurrent function is required, so that each log can be sent to both eLog servers.
Configuration Roadmap
This example provides only the FW configuration. For the eLog server configuration, see the eLog server product document.
The system time must be set correctly during the initial configuration. Changing the system time during device running will result in incorrect timestamps in historical logs. The time zone of the log server must be the same as that of the FW.
- Set the IP addresses for interfaces and add the interfaces to security zones.
- Configure security policies.
- Configure a NAT policy.
- Configure routes.
- Configure log hosts.
- Enable the session log function in a security policy.
- Configure the log output format and the source IP address and source port, and enable the log concurrent function.
Procedure
- Set the IP addresses for interfaces and add the interfaces to security zones.
# Configure an IP address for GE0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 192.168.0.1 24 [FW-GigabitEthernet 0/0/1] quit
# Configure an IP address for GE0/0/2.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ip address 172.16.0.1 24 [FW-GigabitEthernet 0/0/2] quit
# Configure an IP address for GE0/0/3.
[FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet 0/0/3] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/3] quit
# Add GE0/0/1 to the Trust zone.
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/1 [FW-zone-trust] quit
# Add GE0/0/2 to the DMZ.
[FW] firewall zone dmz [FW-zone-dmz] add interface GigabitEthernet 0/0/2 [FW-zone-dmz] quit
# Add GE0/0/3 to the Untrust zone.
[FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/3 [FW-zone-untrust] quit
- Configure security policies.
# Configure a Trust-Untrust interzone security policy and enable the session log function. The session log function takes effect only when the policy action is set to permit.
[FW] security-policy [FW-policy-security] rule name trust_untrust [FW-policy-security-rule-trust_untrust] source-zone trust [FW-policy-security-rule-trust_untrust] destination-zone untrust [FW-policy-security-rule-trust_untrust] source-address 192.168.0.0 24 [FW-policy-security-rule-trust_untrust] action permit [FW-policy-security-rule-trust_untrust] session logging [FW-policy-security-rule-trust_untrust] quit
Session log packets are not subject to packet filtering. Therefore, you do not need to configure a security policy for session logs. Instead, you need to configure only the preceding security policies.
- Configure a NAT policy.
# Configure NAT address pool 1 and set the mode to PAT. In this example, the public address ranges from 1.1.1.10 to 1.1.1.1.15.
[FW] nat address-group add1 [FW-address-group-add1] mode pat [FW-address-group-add1] section 0 1.1.1.10 1.1.1.1.5 [FW-address-group-add1] route enable [FW-address-group-add1] quit
# Configure a NAT policy.
[FW] nat-policy [FW-policy-nat] rule name policy1 [FW-policy-nat-rule-policy1] source-zone trust [FW-policy-nat-rule-policy1] destination-zone untrust [FW-policy-nat-rule-policy1] source-address 192.168.0.0 24 [FW-policy-nat-rule-policy1] action source-nat address-group add1 [FW-policy-nat-rule-policy1] quit [FW-policy-nat] quit
- Configure routes.
# Configure a default route. In this example, the next hop of the FW to the Internet is 1.1.1.2.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 - Configure log hosts.
[FW] firewall log host 1 172.16.0.2 514 [FW] firewall log host 2 172.16.0.3 514
- Set the output format of session logs to Syslog.
[FW] firewall log session log-type syslog - Optional: Set the content format of session logs to be sent in syslog format to MTN.
[FW] firewall log syslog content format mtn The default log format is default when the syslog format is employed to output session logs. To configure session logs in the default format, you do not need to run the preceding command.
To output session logs in MTN format, only parsing by the third-party log server is supported, and IPv6 logs are not supported.
- Configure the third-party log host and view logs on the host.
Configuration Script
# sysname FW # firewall log session multi-host-mode concurrent firewall log host 1 172.16.0.2 9002 firewall log host 2 172.16.0.3 9002 firewall log source 172.16.0.1 6000 # nat address-group add1 0 mode pat route enable section 0 1.1.1.10 1.1.1.1.5 # interface GigabitEthernet 0/0/1 undo shutdown ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet 0/0/2 undo shutdown ip address 172.16.0.1 255.255.255.0 # interface GigabitEthernet 0/0/3 undo shutdown ip address 1.1.1.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/2 # security-policy rule name trust_untrust session logging source-zone trust destination-zone untrust source-address 192.168.0.0 24 action permit # nat-policy rule name policy1 source-zone trust destination-zone untrust source-address 192.168.0.0 24 action source-nat address-group add1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # return