7 Replies Latest reply on Feb 7, 2017 7:17 AM by ciaranr

    NS9200 Syslog Format/Sample

    kdevmu

      Can anyone help me with the syslog samples of NS9200 IPS appliances?

        • 1. Re: NS9200 Syslog Format/Sample
          catdaddy

          Moved from Community Support to Network Security Platform (NSP, NIPS, NAC, NTBA) >Discussions

          For better exposure and better assistance.

          By

          Moderator

          1 of 1 people found this helpful
          • 2. Re: NS9200 Syslog Format/Sample
            peter.mason

            Hi Kdevmu,

             

            What exactly are you trying to do?

             

            Are you trying to send the alert data directly from the sensor to a Syslog server or do you want the NSM manager to forward all alert data to a syslog server?

             

            You can see the default Syslog Message by going to Devices > <DEVICE_NAME> > Setup > Logging > IPS Event Logging

             

            Select the Enable Logging option to see the default message.

             

            Regards

             

            Peter

            2 of 2 people found this helpful
            • 3. Re: NS9200 Syslog Format/Sample
              kdevmu

              Hi Peter,

               

              I want to send Syslogs messages from NS9200 IPS device to the Syslog-NG server and from there to the SIEM. We have our custom SIEM where we do basics monitoring of devices. Hence I am looking forward for the raw syslog format of NS9200 IPS device if you can help me with.

               

              Regards,

              Kalpesh

              • 4. Re: NS9200 Syslog Format/Sample
                kdevmu

                Can anyone please help me with the answer?

                • 5. Re: NS9200 Syslog Format/Sample
                  ciaranr

                  Hi Kalpesh,

                   

                  From the Manager, you can follow the steps as Peter mentioned above to view the default syslog message.

                   

                  Here is what I see for our NS9200:

                   

                  "$IV_SENSOR_NAME$ detected $IV_DIRECTION$ attack $IV_ATTACK_NAME$ (severity = $IV_ATTACK_SEVERITY$). $IV_SOURCE_IP$:$IV_SOURCE_PORT$ -> $IV_DESTINATION_IP$:$IV_DESTINATION_PORT$ (result = $IV_RESULT_STATUS$)"

                   

                  If this has been changed, there is also a button to 'Reset to System Default'.

                   

                  Regards,

                   

                  CR.

                  3 of 3 people found this helpful
                  • 6. Re: NS9200 Syslog Format/Sample
                    kdevmu

                    Thank you CR.

                     

                    Now the question is, can device NS9200 send syslogs directly to the external syslog server or it can be forwarded by NSM manager only?

                    • 7. Re: NS9200 Syslog Format/Sample
                      ciaranr

                      Hi Kalpesh,

                       

                      The device may be configured to directly send to Syslog-NG using the page on the manager: 'Devices > <DEVICE_NAME> > Setup > Logging > IPS Event Logging'.

                      The message on the page reads " Devices forward all alerts to the Manager, which can be configured to send IPS event notification via syslog, SNMP, SMTP and pager. Use this page to additionally send syslog notification directly from the device. "

                      This page has configuration options that will apply only to this sensor.

                       

                      If you have multiple devices, and you wish to configure all at once to send to Syslog-NG, navigate to 'Devices > Global > IPS Device Settings > IPS Event Logging' and configure from this page. This will apply to all your sensors.

                       

                      Finally, if you wish to configure the manager for logging events, go to 'Manage(r) > Setup > Notification > IPS Events > Syslog'. This page will allow you to configure the manager to send events to Syslog-NG, which will reduce load on the sensors.

                       

                      Please review the Manager Administration Guide, beginning on pg 97 for details of the fields and variables that may be set on each of these pages.

                       

                      Regards,

                       

                      CR.

                      2 of 2 people found this helpful