Extreme Dragon

Creating a Policy for Syslog

This procedure describes how to configure an Alarm Tool policy by using a syslog notification rule in the Log Event Extended Format (LEEF) message format.

LEEF is the preferred message format for sending notifications to Dragon Network Defense when the notification rate is high or when IPv6 addresses are displayed. If you do not want to use syslog notifications in LEEF format, refer to your Extreme Dragon documentation for more information.

To configure Extreme Dragon with an Alarm Tool policy by using a syslog notification rule:

1. Log in to the Extreme Dragon EMS.

2. Click the Alarm Tool icon.

3. Configure the Alarm Tool Policy:

   In the Alarm Tool Policy View >Custom Policies menu tree, right-click and select Add Alarm Tool Policy.

   The Add Alarm Tool Policy window is displayed.

4. In the Add Alarm Tool Policy field, type a policy name.

   For example:

   JSA

5. Click OK.

6. In the menu tree, select JSA.

7. To configure the event group:

   Click the Events Group tab.

8. Click New.

   The Event Group Editor is displayed.

9. Select the event group or individual events to monitor.

10. Click Add.

    A prompt is displayed.

11. Click Yes.

12. In the right column of the Event Group Editor, type Dragon-Events.

13. Click OK.

14. Configure the Syslog notification rule:

    Click the Notification Rules tab.

15. Click New.

16. In the name field, type JSA -RuleSys.

17. Click OK.

18. In the Notification Rules pane, select the newly created JSA -RuleSys item.

19. Click the Syslog tab.

20. Click New.

    The Syslog Editor is displayed.

21. Update the following values:

    • Facility Using the Facility list, select a facility.

    • Level Using the Level list, select notice.

    • Message Using the Type list, select LEEF.

    The LEEF message format delineates between fields by using a pipe delimiter between each keyword.

22. Click OK.

23. Verify that the notification events are logged as separate events:

    Click the Global Options tab.

24. Click the Main tab.

25. Make sure that Concatenate Events is not selected.

26. Configure the alarm information:

    Click the Alarms tab.

27. Click New.

28. Type values for the parameters:

    • Name Type JSA -Alarm.

    • Type Select Real Time.

    • Event Group Select Dragon-Events.

    • Notification Rule Select the JSA -RuleSys check box.

29. Click OK.

30. Click Commit.

31. Navigate to the Enterprise View.

32. Right-click on the Alarm Tool and select Associate Alarm Tool Policy.

33. Select the newly created JSA policy. Click OK.

34. In the Enterprise menu, right-click the policy and select Deploy.

    You are now ready to configure a syslog log source in JSA.

Syslog Log Source Parameters for Extreme Dragon

If JSA does not automatically detect the log source, add a Extreme Dragon log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Extreme Dragon:

Configure the EMS to Forward Syslog Messages

Starting with Dragon Enterprise Management Server (EMS) v7.4.0 appliances, you must use syslog-ng for forwarding events to a Security and Information Manager such as JSA.

Syslogd has been replaced by syslog-ng in Dragon EMS v7.4.0 and later.

To configure EMS to forward syslog messages, you must choose one of the following:

• If you are using syslog-ng and Extreme Dragon EMS v7.4.0 and later, see Configuring Syslog-ng Using Extreme Dragon EMS V7.4.0 and Later.

• If you are using syslogd and Extreme Dragon EMS v7.4.0 and earlier, see Configuring Syslogd Using Extreme Dragon EMS V7.4.0 and Earlier.

Configuring Syslog-ng Using Extreme Dragon EMS V7.4.0 and Later

This section describes the steps to configure syslog-ng in non-encrypted mode and syslogd to forward syslog messages to JSA.

If you are using encrypted syslog-ng, refer to your Extreme documentation.

Do not run both syslog-ng and syslogd at the same time.

To configure syslog-ng in non-encrypted mode:

1. On your EMS system, open the following file:

   /opt/syslog-ng/etc/syslog-ng.conf

2. Configure a Facility filter for the Syslog notification rule.

   For example, if you selected facility local1:

   filter filt_facility_local1 {facility(local1); };

3. Configure a Level filter for the Syslog notification rule.

   For example, if you selected level notice:

   filter filt_level_notice {level(notice); };

4. Configure a destination statement for the JSA.

   For example, if the IP address of the JSA is 10.10.1.1 and you want to use syslog port of 514, type:

   destination siem { tcp("10.10.1.1" port(514)); };

5. Add a log statement for the notification rule:

   log { source(s_local); filter (filt_facility_local1); filter (filt_level_notice); destination(siem); };

6. Save the file and restart syslog-ng.

   cd /etc/rc.d ./rc.syslog-ng stop ./rc.syslog-ng start

7. The Extreme Dragon EMS configuration is complete.

Configuring Syslogd Using Extreme Dragon EMS V7.4.0 and Earlier

If your Dragon Enterprise Management Server (EMS) is using a version earlier than v7.4.0 on the appliance, you must use syslogd for forwarding events to a Security and Information Manager such as JSA.

To configure syslogd, you must:

1. On the Dragon EMS system, open the following file:

   /etc/syslog.conf

2. Add a line to forward the facility and level you configured in the syslog notification rule to JSA.

   For example, to define the facility local1 and level notice:

   local1.notice @<IP address>

   Where:

   <IP address> is the IP address of the JSA system.

3. Save the file and restart syslogd.

   cd /etc/rc.d ./rc.syslog stop ./rc.syslog start

   The Extreme Dragon EMS configuration is complete.