cancel
Showing results for 
Search instead for 
Did you mean: 
kdevmu
Level 7
Report Inappropriate Content
Message 1 of 8

NS9200 Syslog Format/Sample

Can anyone help me with the syslog samples of NS9200 IPS appliances?

7 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 8

Re: NS9200 Syslog Format/Sample

Moved from Community Support to Network Security Platform (NSP, NIPS, NAC, NTBA) >Discussions

For better exposure and better assistance.

By

Moderator

Cliff
McAfee Volunteer
Reliable Contributor petermason
Reliable Contributor
Report Inappropriate Content
Message 3 of 8

Re: NS9200 Syslog Format/Sample

Hi Kdevmu,

What exactly are you trying to do?

Are you trying to send the alert data directly from the sensor to a Syslog server or do you want the NSM manager to forward all alert data to a syslog server?

You can see the default Syslog Message by going to Devices > <DEVICE_NAME> > Setup > Logging > IPS Event Logging

Select the Enable Logging option to see the default message.

Regards

Peter

kdevmu
Level 7
Report Inappropriate Content
Message 4 of 8

Re: NS9200 Syslog Format/Sample

Hi Peter,

I want to send Syslogs messages from NS9200 IPS device to the Syslog-NG server and from there to the SIEM. We have our custom SIEM where we do basics monitoring of devices. Hence I am looking forward for the raw syslog format of NS9200 IPS device if you can help me with.

Regards,

Kalpesh

kdevmu
Level 7
Report Inappropriate Content
Message 5 of 8

Re: NS9200 Syslog Format/Sample

Can anyone please help me with the answer?

Re: NS9200 Syslog Format/Sample

Hi Kalpesh,

From the Manager, you can follow the steps as Peter mentioned above to view the default syslog message.

Here is what I see for our NS9200:

"$IV_SENSOR_NAME$ detected $IV_DIRECTION$ attack $IV_ATTACK_NAME$ (severity = $IV_ATTACK_SEVERITY$). $IV_SOURCE_IP$:$IV_SOURCE_PORT$ -> $IV_DESTINATION_IP$:$IV_DESTINATION_PORT$ (result = $IV_RESULT_STATUS$)"

If this has been changed, there is also a button to 'Reset to System Default'.

Regards,

CR.

Highlighted
kdevmu
Level 7
Report Inappropriate Content
Message 7 of 8

Re: NS9200 Syslog Format/Sample

Thank you CR.

Now the question is, can device NS9200 send syslogs directly to the external syslog server or it can be forwarded by NSM manager only?

Re: NS9200 Syslog Format/Sample

Hi Kalpesh,

The device may be configured to directly send to Syslog-NG using the page on the manager: 'Devices > <DEVICE_NAME> > Setup > Logging > IPS Event Logging'.

The message on the page reads " Devices forward all alerts to the Manager, which can be configured to send IPS event notification via syslog, SNMP, SMTP and pager. Use this page to additionally send syslog notification directly from the device. "

This page has configuration options that will apply only to this sensor.

If you have multiple devices, and you wish to configure all at once to send to Syslog-NG, navigate to 'Devices > Global > IPS Device Settings > IPS Event Logging' and configure from this page. This will apply to all your sensors.

Finally, if you wish to configure the manager for logging events, go to 'Manage(r) > Setup > Notification > IPS Events > Syslog'. This page will allow you to configure the manager to send events to Syslog-NG, which will reduce load on the sensors.

Please review the Manager Administration Guide, beginning on pg 97 for details of the fields and variables that may be set on each of these pages.

Regards,

CR.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community