CLI: Example for Outputting Customized Syslogs to a Third-Party Log Host
This section provides an example for outputting customized syslogs to a third-party log host through the CLI.
Networking Requirements
As shown in Figure 1, the FW is deployed on the network border. The network environment is as follows:
- The intranet is the Trust zone, while the Internet is the Untrust zone. Users on the intranet access the Internet using the NAT function provided by the FW.
- A third-party log server is deployed in the DMZ.
The FW is required to send session information generated when intranet users access the Internet to the third-party log server in the customized syslog format. The administrator can view and analyze session information on the third-party log server.
Configuration Roadmap
This example provides only the FW configuration. For the third-party log server configuration, see the third-party log server product document.
The system time must be set correctly during the initial configuration. Changing the system time during device running will result in incorrect timestamps in historical logs. The time zone of the log server must be the same as that of the FW.
- Set the IP addresses for interfaces and add the interfaces to security zones.
- Configure security policies.
- Configure a NAT policy.
- Configure routes.
- Configure log hosts.
- Enable the session log function in a security policy.
- Customize the syslog format.
Procedure
- Set the IP addresses for interfaces and add the interfaces to security zones.
# Configure an IP address for GE0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 192.168.0.1 24 [FW-GigabitEthernet 0/0/1] quit
# Configure an IP address for GE0/0/2.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ip address 172.16.0.1 24 [FW-GigabitEthernet 0/0/2] quit
# Configure an IP address for GE0/0/2.
[FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet 0/0/3] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/3] quit
# Add GE0/0/1 to the Trust zone.
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/1 [FW-zone-trust] quit
# Add GE0/0/2 to the DMZ.
[FW] firewall zone dmz [FW-zone-dmz] add interface GigabitEthernet 0/0/2 [FW-zone-dmz] quit
# Add GE0/0/3 to the Untrust zone.
[FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/3 [FW-zone-untrust] quit
- Configure security policies.
# Configure a Trust-Untrust interzone security policy and enable the session log function. The session log function takes effect only when the policy action is set to permit.
[FW] security-policy [FW-policy-security] rule name trust_untrust [FW-policy-security-rule-trust_untrust] source-zone trust [FW-policy-security-rule-trust_untrust] destination-zone untrust [FW-policy-security-rule-trust_untrust] source-address 192.168.0.0 24 [FW-policy-security-rule-trust_untrust] action permit [FW-policy-security-rule-trust_untrust] session logging [FW-policy-security-rule-trust_untrust] quit
Session log packets are not subject to packet filtering. Therefore, you do not need to configure a security policy for session logs. Instead, you need to configure only the preceding security policies.
- Configure a NAT policy.
# Configure NAT address pool 1 and set the mode to PAT. In this example, the public address ranges from 1.1.1.10 to 1.1.1.1.5.
[FW] nat address-group add1 [FW-address-group-add1] mode pat [FW-address-group-add1] section 0 1.1.1.10 1.1.1.1.5 [FW-address-group-add1] route enable [FW-address-group-add1] quit
# Configure a NAT policy.
[FW] nat-policy [FW-policy-nat] rule name policy1 [FW-policy-nat-rule-policy1] source-zone trust [FW-policy-nat-rule-policy1] destination-zone untrust [FW-policy-nat-rule-policy1] source-address 192.168.0.0 24 [FW-policy-nat-rule-policy1] action source-nat address-group add1 [FW-policy-nat-rule-policy1] quit [FW-policy-nat] quit
- Configure routes.
# Configure a default route. In this example, the next hop of the FW to the Internet is 1.1.1.2.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 - Configure the log host.
[FW] firewall log host 1 172.16.0.2 514 - Configure the source IP address and source port for sending logs.
[FW] firewall log source 172.16.0.1 6666 - Set the session log output format to syslog.
[FW] firewall log session log-type syslog - Customize the output syslog content.You can customize the syslog output format in either expression mode or list mode. These two modes are mutually exclusive. That is, you can select only one mode for a syslog template. The specific configurations are as follows:
- Customizing a syslog in expression mode
- Configure a template for session logs in syslog format and access the template view.
[FW] session-log template test type syslog To also configure URL session logs, configure different templates for session logs and URL session logs.
- Configure a content expression for session logs.
[FW-syslog-template-test] expression message "$logtype ipver=$ipversion pro:$protocol source=$srcip:$srcport destination=$dstip:$dstport" - If IPv4 and IPv6 session logs share the same expression, run the preceding command once.
- If IPv4 and IPv6 session logs use different expressions, run the preceding command twice. Set the IPv6 session log expression to expression message ipv6 "$logtype ipver=$ipversion pro:$protocol source=$srcip:$srcport destination=$dstip:$dstport".
- When configuring the URL session log expression, you need to specify the $httptype and $url fields specific to URL session logs, namely, expression message ipv6 "$logtype ipver=$ipversion pro:$protocol source=$srcip:$srcport destination=$dstip:$dstport $httptype " $url.
- Set the syslog content format to the template format.
[FW] firewall log syslog content format template test
- Configure a template for session logs in syslog format and access the template view.
- Customizing a syslog in list mode
- Configure a template for session logs in syslog format and access the template view.
[FW] session-log template test type syslog - Configure syslog field delimiters.
[FW-syslog-template-test] separate semicolonThe default field delimiters are commas (,).
- Configure the fields the syslog contains and their sequences.
[FW-syslog-template-test] expression ip-version source-ip destination-ip source-port source-nat-ip source-nat-port protocol - Create prefixes for syslog fields.
[FW-syslog-template-test] ip-version prefix-characters ipversion= [FW-syslog-template-test] protocol prefix-characters Protocol= [FW-syslog-template-test] source-ip prefix-characters Source-IP [FW-syslog-template-test] quit
- Set the content format of session logs in syslog format to template.
[FW] firewall log syslog content format template test
- Configure a template for session logs in syslog format and access the template view.
- Customizing a syslog in expression mode
- Configure the third-party log host and view logs on the host.
Configuration Scripts
The following script uses customizing syslogs in list mode as an example.
# sysname FW # firewall log host 1 172.16.0.2 514 firewall log session log-type syslog # nat address-group add1 0 mode pat route enable section 0 1.1.1.10 1.1.1.1.5 # interface GigabitEthernet 0/0/1 undo shutdown ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet 0/0/2 undo shutdown ip address 172.16.0.1 255.255.255.0 # interface GigabitEthernet 0/0/3 undo shutdown ip address 1.1.1.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/2 # security-policy rule name trust_untrust session logging source-zone trust destination-zone untrust source-address 192.168.0.0 24 action permit # nat-policy rule name policy1 source-zone trust destination-zone untrust source-address 192.168.0.0 24 action source-nat address-group add1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # session-log template test type syslog separate semicolon expression ip-version source-ip destination-ip source-port source-nat-ip source-nat-port protocol ip-version prefix-characters ipversion= protocol prefix-characters Protocol= source-ip prefix-characters Source-IP firewall log syslog content format template test # return