Accenture MDR Quick Start Guide for Broadcom Edge Secure Web Gateway using Syslog Configuration
- KS
This quick start guide will help Accenture MDR customers configure Broadcom Edge Secure Web Gateway to send logs to the Log Collection Platform (LCP).
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found at Accenture MSS - Log in to MSS
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Destination Port | Description |
Windows/Linux Server (Where Nxlog Agent or Logstash is installed) | LCP | 6514 (Secure TCP) or 601 (TCP) or 514 (UDP) | Default Port |
Prerequisites:
A Central Log Aggregation Server with either Centos 7.9 or Windows Server 2012 OS must be deployed and managed by your internal network.
Configure FTP Receiver in the Central Log Aggregation server to enable saving incoming log files to your chosen directory.
The Central Log Aggregation Server needs to be installed either Logstash with java v1.8 as a dependency or Nxlog Community Edition as per customer’s log forwarding agent preference.
Note - MxDR prefers Logstash over Nxlog for log forwarding to avoid Output SSL Socket issues with Nxlog.
Configuring Broadcom Edge SWG
Broadcom Edge SWG logs have to be sent to the Central Log Aggregation Server via FTP Upload. Follow the configuration steps below.
Login to the device Web interface.
Click the Configuration tab and go to Access Logging > Formats.
In the Log Formats section, click New. The New Create Format pop-up window appears.
In the Format Name text box, type a name for the LCP.
Select the W3C Extended Log File Format (ELFF) string option.
In the text box, type the following.
date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host x-http-connect-host cs-uri-port cs-uri-path cs-uri-query cs-username c-cpu cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip x-bluecoat-application-name x-bluecoat-application-operation c-port cs(X-Forwarded-For) x-exception-id cs-category cs-uri-extension cs-uri x-bluecoat-appliance-primary-address s-sitename r-ip r-port r-dns x-rs-certificate-hostname x-rs-certificate-hostname-category x-rs-certificate-observed-errors x-rs-connection-negotiated-cipher x-rs-connection-negotiated-cipher-strength x-rs-connection-negotiated-cipher-size x-rs-connection-negotiated-ssl-version s-supplier-ip s-supplier-country s-supplier-failures cs-threat-risk x-bluecoat-transaction-uuid x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-Metadata) x-exception-category x-rs-certificate-hostname-threat-risk x-cs(Referer)-uri-threat-risk x-cs(Referer)-uri-categories s-port s-source-ip s-source-portTo check the log format, click Test Format.
Note: In the Edge SWG version 6.x or later, the Test Format Results pop-up window appears with deprecated fields. In a few Edge SWG versions, fields such as s-hierarchy, r-hierarchy are unsupported and can be removed. Once the unsupported log fields are removed, the Test Format Results pop-up window will display the message "Format Syntax correct".From the Multiple-valued header policy drop-down list, select Log last header and click OK.
In the Log Formats screen, click Save.
2. Configure the Log Facility.
a) Click the Configuration tab and go to Access Logging > Logs.
b) In the Logs tab, click New. The Create Log window appears.
c) In the Log Settings section, in the Log Name text box, type a name for the LCP.
d) From the Log Format drop-down list, select the log format created in step1.
e) In the Description text box, type the description of the LCP.
f) In the Log file limits section, in the The maximum size of each remote file is text box, type 200
g) In the Start an early upload if log reaches text box, type 200 and click OK.
a) Click the Configuration tab and go to Access Logging > Logs > Upload Client.
b) From the Log drop-down list, select the log facility created in step2.
c) From the Client type drop-down list, select FTP Client and click Settings.
d) From the Settings for drop-down list, select Primary FTP Server.
e) In the Host text box, type the IP address of the Central Log Aggregation Server.
f) In the Port text box enter port number of your FTP Server, default port is 21
g) Provide the Directory path where the access log is uploaded on the Central Server.
h) In the Username text box, type your FTP Server Username
i) Click Change Primary password to change the password on the FTP server; the Change Password dialog displays; enter and confirm the new password; click OK. You may leave the field empty if no password configured at FTP Server.
j) In the Filename text box,
i) Type the log file name in the following format if you want to send logs without compression.
SG_%f_%c_%I%m%d%H%M%S.log
ii) Type the log file name in the following format if you want to send logs with compression..
SG_%f_%c_%I%m%d%H%M%S.gzip.log
Note:
i) The default filename includes the log name (%f), name of the external certificate used for encryption if any (%c), fourth parameter of the Edge SWG device IP address (%l), date and time (Month: %m, Day: %d, Hour: %H, Minute: %M, Second: %S), and .log or .gzip.log file extension.
ii) You must configure sending logs without compression which is also supported with any forwarder configuration. Configuring sending logs with compression gets worked only if you have chosen Logstash as your forwarder deployed in CentOS as Central Log Aggregation Server OS.
k) Check the Use secure connections (SSL)
Note - Check this box only if you want to send logs using FTPS to your Central Server.
l) Check the Local Time check box only if you need to send logs in your local time.
Note: By default, device sends logs in UTC.
m) Check the Use PASV check box and then click OK and Apply.
4. Assign a log facility to the format.
a) Click the Configuration tab and go to Access Logging > General.
b) In the Default Logging tab, all the available protocols will be mapped to the default log facility.
c) MxDR supports the following protocol logs which are given in the table and recommends that you map the protocols to the LCP log facility.
d) Click each of the above protocols and click Edit.
e) Map the logging facility created in Step2 to each protocol and click Apply.
5. Configure the Upload Schedule.
a) Click the Configuration tab and go to Access Logging > Logs > Upload Schedule.
b) From the Log drop-down list, choose the logging facility created in Step2.
c) In the Upload type section, select the periodically option.
d) In the Upload the log file section, do the following:
i) Click the Every option.
ii) In the hours text box, type 0
iii) In the minutes text box, type 15 and then click Apply.
6. Test the access log upload.
a) To set the event logging level for testing, do the following:
i) Click the Maintenance tab and go to Event Logging > Level.
ii) Check the Verbose check box and click Apply.
b) To test the log upload:
i) Click the Configuration tab and go to Access Logging > Logs > Upload Client.
ii) From the Log drop-down list, choose the logging facility created in Step2 and click Test Upload.
c) To reset the event logging level after testing:
i) Click the Maintenance tab and go to Event Logging > Level.
ii) Uncheck the Verbose check box. and click Apply.
Note: It is important to uncheck the Verbose check box after testing to ensure that the Device server does not fill the disk with Verbose event logs.
7. Enable the newly created log facility.
Note: This is required if you need flexible monitoring or already have a logging system setup that you cannot replace.
To enable a new logging facility, follow the steps below.
a) Click the Configuration tab and go to Policy > Visual Policy Manager.
b) In the Visual Policy Manager window, go to Policy > Add Web Access Layer.
c) Enter a name for the Web Access Layer and click OK.
d) Right-click the newly created Web Access Layer and go to Action > Set.
e) In the Set Action Object dialog box, go to New > Modify Access Logging.
f) In the Name text box, type a name for the Accenture MDR Access Logging Object.
g) Select the Enable logging to option. From the drop-down list, select the log facility created in Step2 and click OK.
h) Click OK to close the VPM window and click Yes to save the changes.
8. Enable the device to send logs via FTPS.
Note: This step is required only if you need to send the logs to Central Log Aggregation Server via FTPS.
To import the certificate in the device, follow the steps below.
a) Login to the device Web interface.
b) Click the Configuration tab and go to SSL > CA Certificates > Import.
c) In the Import your CA Certificate window,
In the CA Cert Name text box, type a name for the your certificate.
In the CA Certificate PEM text box, paste your certificate
Click OK and Apply.
d) To validate Blue Coat event logging, click the Statistics tab and go to System > Event Logging.
To forward logs to the LCP, follow the below configuration steps for Logstash or Nxlog Agent
Configure Logstash Agent to forward logs to LCP
Download, Install and setup Logstash agent by referring to this link Installing Logstash | Logstash Reference [8.2] | Elastic. Logstash requires JAVA to be installed as a prerequisite. You must install JAVA 8 in the Central Log Aggregation Server to enable Logstash processing log files. For Windows environments, Logstash should be installed with Admin User.
Ensure that logstash service and logstash user have appropriate permissions for having full access on uploaded log files on Windows and Linux Log Aggregation Server respectively.
Steps to configure Logstash Agent
Navigate to Logstash installed location “/etc/logstash/conf.d/”.
In CentOS with default installation, please navigate to “/etc/logstash/conf.d/”.
In Windows, please navigate to the installed directory {Logstash_extract.path}/config where {Logstash_extract.path} is Logstash Directory created by unpacking the archive.
This could be any chosen custom path on which you extracted Logstash archive. Example value could be “C:/logstash-8.3.1/config“
Rename attached logstash.conf to edgeswg.conf and copy this in the Logstash Configuration directory.
Here edgeswg.conf file should be copied either in conf.d or config directory for CentOS and Windows installation respectively. Kindly edit this file for log forwarding by following the steps provided in it and then Save it.
c. Start the logstash service.
Configure NxLog Agent to forward logs to LCP
Download and Install NxLog agent from location Download (There are few dependencies that you need to install and then you can install nxlog on machine. Refer Documentation :: NXLog Documentation )
Ensure that nxlog service and nxlog user have appropriate permissions for having full access on uploaded log files on Windows and Linux Log Aggregation Server respectively.
Steps to configure Nxlog Agent.
Navigate to Nxlog configuration directory location.
In CentOS with default installation, please navigate to “/etc/nxlog/” directory.
In Windows with default installation, please navigate to “C:\Program Files\nxlog\conf” folder.
For CentOS installation, rename attached nxlog_linux.conf to "nxlog.conf" and copy into this /etc/nxlog directory . For Windows installation, Rename attached nxlog_windows.conf to "nxlog.conf" and copy into this C:\Program Files\nxlog\conf directory. Kindly edit this file for log forwarding by following the steps provided in it and then Save it.
Start the nxlog service.
LCP Configuration Parameters
Table 1-2: The Broadcom Edge Secure Web Gateway event collector(Syslog-3981) properties to be configured by MDR are shown in the table.
Property | Default value | Description |
Protocol | SECURE TCP | The collector can accept Broadcom Edge Secure Web Gateway logs in Secure TCP protocol. The collector can also accept logs in TCP and UDP. |
Port Number | 6514 | The default port for Secure TCP. For TCP, the default port is 601 and for UDP, the default port is 514. |
IP Address | Broadcom Edge Secure Web Gateway Interface IP Address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact your onboarding team. |
Signatures |
broadcomedgeswg | MDR recommended signatures processed by the Broadcom Edge Secure Web Gateway event collector. |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.