How do I configure syslog remote logging for a Untangle Firewall

This article provides instruction on how to setup and enable syslog forwarding on a Untangle firewall

Enable Syslog

  1. Go to Config > Events > Syslog.
    Syslog-Disabled
  2. Enable the "Enable Remote Syslog" option.
    Syslog-Enabled-Default
  3. Configure the Syslog connection:
    • Enter the IP Address of the RocketAgent running the Firewall Analyzer App
    • Keep the default port and protocol (UDP 514)

Create a Syslog Rule

The default rule that is included when you first enable Syslog sends all data in all classes to the remote server. We recommend disabling or deleting the default rule and creating rules that sends only the data that you want/need to the RocketAgent.

  1. Click the Add button. You should get a window similar to the one shown belowSyslog-Add-Rule
  2. Enter a description for the rule and then click the drop down menu for Class.
    Syslog-Select-Class
  3. You can further limit the data sent by adding fields via the Add Field button and selecting the field you want to filter by:
    • Click the Add Field button
      Syslog-Add-Field
    • Select the Filed you want to filter by and then fill in the rest of the filter conditions similar to below
      Syslog-Config-Field
  4. You can also can set a threshold on the rule so it only triggers after a certain number of matching events occur:
    Syslog-Thresholds
  5. Click Done in the bottom-right corner of the window and then click Save in the main window to apply your new rule.
    Syslog-Save

We recommend you create Syslog Event Rules for the following Event Classes In Untangle

  • SpamLogEvent
  • VirusFtpEvent
  • VirusHttpEvent
  • VirusSmtpEvent
  • AdminLoginEvent
  • UserTableEvent
  • IntrusionPreventionLogEvent
  • ApplicationControlLogEvent
  • LoginEvent
  • WebFilterEvent
  • ThreatPreventionEvent
  • ThreatPreventionHttpEvent
  • ApplicationControlLiteEvent

For a complete list of event classes please visit:

https://wiki.untangle.com/index.php/Event_Definitions