Connecting to SWA or Another Syslog Server

The SmartWall Central Management Server (CMS) collates syslog messages from the SmartWall devices in your network and then it can send a summarized version of that information on to SmartWall SecureWatch Analytics (SWA), where the messages are used to produce real-time and historical analytics.

Before the SWA can display information, you must set up the CMS to forward syslog messages to the SWA. You can also configure the CMS to forward the syslog messages to other applications that process syslog messages.

Tip: For information on specific fields, tables, or buttons in the Web UI, see the Analytics & Syslog Screen reference topic. See information on Address Groups to learn more about IP reporting.

To connect to an Analytics or Syslog Server

  1. Use the left-hand menu to navigate to System > Analytics & Syslog. Make sure the SERVERS tab is selected.
  2. Click Add Server at one of the following tables:
    • Analytics Servers – For SWA applications
    • Syslog Servers – For all other applications which process syslog messages
  3. Type a Name for this server. You must only use alphanumerics, spaces, or .-&()_/@:= symbols.
  4. Type the IP Address of the server (or its DNS name).
  5. Enable or Disable Encryption for this server. The CMS and SWA come with self-signed SSL certificates. You can choose to upload signed certificates to the CMS and SWA- see optional steps below.
  6. Type the Port you server accepts syslog messages on. The default (9997 for unencrypted and 9998 for encrypted) is the correct port for SWA.
  7. Click Save.
  8. If you want to save the new configuration, and push your changes to any affected Defense devices, click . Then, on the pop-up dialog, click Commit to push the changes (alternatively, you can click Discard to discard any uncommitted changes).
  9. Open your server application and check it is now receiving syslog messages.

Tip: On the servers tables in the CMS, you can use the following action buttons to edit or delete a server connection.

Optional– Add a signed certificate to the CMS - SWA connection

By default, the connection between the CMS and SWA uses an in-built self-signed certificate. If you want to use a signed certificate, you need to upload a PKC#S12 certificate to both sides of the connection.

  1. Add a signed SSL certificate in the CMS side of the connection:
    1. Use the left-hand menu to navigate to System > Analytics & Syslog.
    2. Open the SSL CERTIFICATE tab.
    3. Click Upload Certificate.
    4. Select a pkcs12 certificate file on your computer, and click Open.
    5. (Optional) Type in the Password for the certificate file.
    6. Click OK.
    7. If necessary, refresh the browser to ensure the new certificate has been loaded.
    8. If you want to save the new configuration, and push your changes to any affected Defense devices, click . Then, on the pop-up dialog, click Commit to push the changes (alternatively, you can click Discard to discard any uncommitted changes).
  2. Add a signed certificate to the part of the SWA that receives information from CMS:
    1. Access the SWA pCLI:
      • Open a console session. On an ESXi server, you can use VMware (select the VM and click Open Console) or on a KVM server you can use virsh (command: virsh console <vmName>).
      • SSH to the pCLI: ssh -p 2222 admin@<ipAddress>
    2. Log in. If you haven't yet changed them, the default username and password is admin/smartwall.
    3. To load a certificate, type ssl-certificates forwarder followed by the URI to the PKCS#12 format certificate file. The supported protocols are FTP, SFTP, HTTP, and HTTPS. For example: ssl-certificates forwarder sftp://admin@10.20.30.40/certs/my_cert.p12
    4. You will be prompted for a password to access the file location. If you password protected the PKCS#12 file, you will also be prompted for that password.

Note: The certificate must be in PKCS#12 format, and include the private key, signed certificate, and CA certificate change to be used for SSL. The common name should match the hostname assigned to the SWA appliance.

To configure syslog message settings

Note: The configuration of syslog message settings in the CMS applies to all syslog and analytics servers.

The CMS analyzes sample packets from the traffic flow to detect attacks and trigger rules. The CMS then sends a sample of those packets on to SWA to provide the data for analytics.

There are two types of samples taken by the CMS:

  • sFlow – A sample of all traffic coming into the Defense device. Useful for detecting attacks and seeing your incoming traffic stats.
  • aFlow – A sample of the traffic that the Defense device has allowed through. You can use this to check how well your SmartWall TDS configuration is working to block unwanted packets.

These are used to report on inbound (coming into the internal network) and outbound (leaving the internal network) traffic.

Note: The default syslog message configuration should work for most systems.

  1. Use the left-hand menu to navigate to System > Analytics & Syslog.
  2. Select the MESSAGE CONTROLS tab.
  3. You can edit the following options:
    • sFlow Inbound Limit – (Default: 5) Change the maximum number of sample inbound packets, sampled from all traffic types, that the CMS will send every second
    • sFlow Outbound Limit – (Default: 5) Change the maximum number of sample outbound packets, sampled from all traffic types, that the CMS will send every second
    • aFlow Inbound Limit – (Default: 5) Change the maximum number of sample inbound packets, sampled from allowed traffic, that the CMS will send every second
    • aFlow Outbound Limit – (Default: 5) Change the maximum number of sample outbound packets, sampled from allowed traffic, that the CMS will send every second
    • Rule Event Limit – (Default: 5) Change how many security event messages, per rule, the CMS will send to the SWA every second
    • Send Events – (Default: enabled) Choose to send (enabled) or stop sending (disabled) event messages
    • Send Detected Events – (Default: enabled) Choose to send (enabled) or stop sending (disabled) an event message when a rule detects matching traffic (as opposed to blocking matching traffic)
    • Send Logs – (Default: enabled) Choose to send (enabled) or stop sending (disabled) CMS log entries on to the analytics/syslog server
  4. If you want to save the new configuration, and push your changes to any affected Defense devices, click . Then, on the pop-up dialog, click Commit to push the changes (alternatively, you can click Discard to discard any uncommitted changes).