How to Configure Syslog policy to segregate App Firewall logs

Steps to follow:

1) Kill syslogd process using command killall syslogd

2) Modify the /etc/syslog.conf by including this line

#local2.* /var/log/iprep.log

local2.* /var/log/ns.appfw.log

3) Create and bind syslog -policy/action as follows

add audit syslogAction locallog <NSIP> -logLevel ALL -logFacility LOCAL2

add audit syslogAction syslogsrv <external syslog server IP> -logLevel ALL

add audit syslogPolicy localpol ns_true locallog

add audit syslogPolicy syslogsrvPol ns_true syslogsrv

bind appfw global localpol 1

bind appfw global syslogsrvPol 2

4) Start the syslog server deamon from shell command: /usr/sbin/syslogd -a *:* -n -v -v -8 -C


Logs from ns.appfw.log:-

# tail -f ns.appfw.log

Mar 11 16:42:03 <local2.info> 10.x.x.x 03/11/2019:11:12:03 GMT XS-99 0-PPE-0 : default APPFW APPFW_COOKIE 73766 0 : 10.x.x.x 127175-PPE0 Jz4u5Dj/4G4eJ4yll830a7zzz+A0000 <appfwpol> http://10.x.x.x/admin_ui/rdx/core/css/chrome.png Cookie validation failed for is_cisco_platform <blocked>

Mar 11 16:42:03 <local2.info> 10.x.x.x 03/11/2019:11:12:03 GMT XS-99 0-PPE-0 : default APPFW APPFW_COOKIE 73767 0 : 10.x.x.x 127176-PPE0 Jz4u5Dj/4G4eJ4yll830a7zzz+A0000 <appfwpol> http://10.x.x.x/admin_ui/rdx/core/css/safari.png Cookie validation failed for startupapp <blocked>

Mar 11 16:42:03 <local2.info> 10.x.x.x 03/11/2019:11:12:03 GMT XS-99 0-PPE-0 : default APPFW APPFW_COOKIE 73768 0 : 10.x.x.x 127176-PPE0 Jz4u5Dj/4G4eJ4yll830a7zzz+A0000 <appfwpol> http://10.x.x.x/admin_ui/rdx/core/css/safari.png Cookie validation failed for is_cisco_platform <blocked>

Mar 11 16:42:03 <local2.info> 10.x.x.x 03/11/2019:11:12:03 GMT XS-99 0-PPE-0 : default APPFW APPFW_REFERER_HEADER 73769 0 : 10.x.x.x 127177-PPE0 Jz4u5Dj/4G4eJ4yll830a7zzz+A0000 <appfwpol> http://10.x.x.x/ Referer header check failed: referer header URL ‘http://10.x.x.x/admin_ui/common/css/ns/ui.css’ not in Start URL or closure list <blocked>

Related:

  • No Related Posts

Leave a Reply