Introduction
In this document, the Syslog module in the Padvish management console and its settings and features is introduced.
After reading this document, the reader will understand the architecture of this module and be able to configure the Padvish management console for sending Log based on Syslog protocol to a Log server or SIEM system or similar systems. Also at the end of this document, you can read about the list of Padvish antivirus messages in addition to their processing method.
About Syslog protocol
Syslog protocol is responsible for sending and collecting textual Logs from all different network equipment. These logs can involve all types of contents from system function, connection incidents, security events, etc. and in principle, textual messages with few constant metadata (such as Date, place, and significance of the event) which according to its special pattern, should be processed for each facility and system.
Syslog protocol default is to send UDP type packets on port 514 but also there are other types such as TCP and cryptography. Now, the Padvish management console supporting sending UDP-based information.
Since the purpose of this protocol is collecting all information in a unit place and processing them, before we can proceed you should have a Syslog server or a system that can receive these messages and settled in their network and determined an IP and a significant accessible address for it.
Syslog module in Padvish management console
Communication architecture
By adjusting follow settings in the Padvish management server, you can receive these logs from the Syslog protocol, which contains client system incidents.
The sending mechanism is like Padvish clients frequently send their reports and logs to the Padvish management server. Management server, as soon as receiving the logs will send them with a better format and by Syslog protocol to one or multi-servers. So, clients are not directly in communication with the Syslog server and only need that Padvish management server to be able to send a packet to this side of the server.
Adjust syslog settings method in Padvish management console
To adjust settings, you must create a log.cfg file in the main path of the Padvish server- usually C:\Program Files (x86)\Amnpardaz\Server\log.cfg – and adjust the following settings to them:
rootCategory=DEBUG,Syslog appender.Syslog=SyslogAppender appender.Syslog.syslogName=Padvish appender.Syslog.syslogHost=192.168.0.1 appender.Syslog.portNumber=514 appender.Syslog.facility=1 appender.Syslog.layout=PatternLayout appender.Syslog.layout.ConversionPattern=1 %d{%Y-%m-%dT%H:%M:%S,%lZ} PadvishManagementServer PMS – – – %-5p %c{2} %m%n
In these settings Syslog server and relevant port (standard default is 514) to receive logs, it needs to change.
In rare cases which needs to send logs to some destination server log, you can use follow settings and introduce the number of existing servers:
rootCategory=DEBUG,Syslog appender.Syslog=SyslogAppender appender.Syslog.syslogName=Padvish appender.Syslog.syslogHost=192.168.0.1 appender.Syslog.portNumber=514 appender.Syslog.facility=1 appender.Syslog.layout=PatternLayout appender.Syslog.layout.ConversionPattern=1 %d{%Y-%m-%dT%H:%M:%S,%lZ} PadvishManagementServer PMS – – – %-5p %c{2} %m%n
Guide to Syslog messages in Padvish management console
As well as most products, Syslog messages in the Padvish management console will send by a frame that is understandable for users and network managers. For the mechanical process, it needs this message is to be parsed.
Here you can see the list of Syslog server messages:
| Log Type | All types of Padvish server | |
| 1 | Detecting malware | [%datetime%] Malware ‘%malwarename%‘ found in client %computername% [%ip%] on path ‘%malwarepath%‘, action={Ignore/Delete/Quarantine/Disinfect/Deny}, result={Fail/Success} |
|
2 3 |
Turning off/on-device control |
[%datetime%] Device Control turned on by ‘%username%‘ on client %computername% [%ip%] user %consoleusername%
[%datetime%] Device Control turned off by ‘%username%‘ on client %computername% [%ip%] user %consoleusername% |
|
4 5 |
Turning off/on firewall |
[%datetime%] Firewall turned on by ‘%username%‘ on client %computername% [%ip%] user %consoleusername%
[%datetime%] Firewall turned off by ‘%username%‘ on client %computername% [%ip%] user %consoleusername% |
|
6 7 |
Restoring file from quarantine |
[%datetime%] File ‘%filepath%‘ restored from quarantine by ‘%username%‘ on client %computername% [%ip%] user %consoleusername%
[%datetime%] Restore of file ‘%filepath%‘ from quarantine failed by ‘%username%‘ on client %computername% [%ip%] user %consoleusername% |
|
8 9 |
Turning off/on real time protection |
[%datetime%] System Guard turned on by ‘%username%‘ on client %computername% [%ip%] user %consoleusername%
[%datetime%] System Guard turned off by ‘%username%‘ on client %computername% [%ip%] user %consoleusername% |
|
10 11 |
Update signature database |
[%datetime%] Successfuly updated by ‘%username%‘ on client %computername% [%ip%] user %consoleusername%
[%datetime%] Update by ‘%username%‘ failed on client %computername% [%ip%] user %consoleusername% |
|
12 13 |
Turning off/on self-protection |
%datetime%] Self Protection turned on by ‘%username%‘ on client %computername% [%ip%] user %consoleusername% [%datetime%] Self Protection turned off by ‘%username%‘ on client %computername% [%ip%] user %consoleusername% |
| 14 | Scanning | [%datetime%] A scan was performed on client %computername% [%ip%] by ‘%username%‘. Result=’{Finished successfully/Aborted by user/Failed}‘, Scanned files=’%d‘, Threats found=’%d‘, Start Date=’%datetime%‘, End Date=’%datetime%‘ |
| 15 | Firewall log | [%datetime%] {Allowed/Denied} connection on client %computername% [%ip%] user %consoleusername%. [Direction=’{In/Out}‘, Remote Address=’%ip%:%port%‘, Local Address=’:%port%‘, Protocol=’%d‘] |
| 16 | Tool connection (old version ) | [%datetime%] Device Connected, Vendor=’%vendor%‘, Product=’%product%‘, Serial=’%serial%‘, Action=’{allowed/denied/allowed read-only}‘, Client=’%computername% [%ip%]’ |
| 17 | Tool connection (new version) | [%datetime%] Device ‘%type%‘ with ID ‘%serial%‘ connected and was ‘{allowed/denied/allowed read-only}‘ on client %computername% [%ip%], user %consoleusername% |
| 18 | Detecting intrusion | [%datetime%] IDS detected ‘%attackname%‘ on {incoming/outgoing} connection {from/to} %ip% on client %computername% [%ip%] user %consoleusername% and {allowed/denied} it |
Tips:
- At the beginning of all logs is the date of the log event (according to the date of the client system of the event generator)
- The phrase inside %% means the string value that is replaced by the system.
- Phrases inside {xxx/yyy/zzz} means replacing one or more number
- %d phrase means numeric value.
- %datetime% phrase means date value and format: 2018-01-29 13:14:15
- %consoleusername% phrase in logs means a client who logged in at the time of log incidents. This is the Windows console user.
- %username% phrase means a client that acts. In cases that the operation is done by system or server, This user is inserted as a blank or space bar () or system. (All mean the same thing)
- In the firewall log, the number of protocols depends on the IP Packet Protocol number. (6 means TCP and 17 means UDP)
Padvish log processing rules
To view regular expression (regex) rules and connecting to log analysis software, study the following page:
Guide to Padvish management console connection to Splunk and similar software