Log Source

Configuration
Guide

ANET USA INC.

Configuring Log Sources

SureLog listens at the default ports for exported log files. The following is a list of firewalls
and versions for which configuration instructions are included.
Firewall Name

Version Numbers

Check Point

Log import from most versions and LEA support for R54 and
above

NetScreen

Most version

Cisco Systems

Microsoft ISA

Cisco Pix Secure Firewall v 6.x, 7.x, Cisco ASA, Cisco

IOS 3005, 1900, 2911, 3925, Cisco FWSM, Cisco VPN
Concentrator, Cisco CSC-SSM Module 6.3.x,
Cisco SSL WebVPN or SVC VPN, Cisco IronPort Proxy,
Cisco Botnet module
(Firewall, Web Proxy, Packet Filter, Server 2006 VPN)
Server 2000 and 2004, W3C log format Threat
Management Gateway (TMG)

CyberGuard

CyberGuard Firewall v4.1, 4.2, 4.3, 5.1

Cyberoam

Cyberoam Firewall Version: 9.5.4

FortiNet

FortiGate family, Webfilter, DLP, IPS modules, and IPSec, SSL

VPN - v300A, v310B, FortiOS 5.x VPN

WatchGuard

All Firebox Models v 5.x, 6,x, 7.x, 8.x, 10.x, 11, Firebox X series,
x550e, x10e, x1000, x750e

Snort

Most versions

Secure Computing
Sidewinder

Sidewinder G2, FIrewall Enterprise - Sidewinder (S4016)

SonicWALL

SOHO3, SOHO TZW, TELE3 SP/TELE3 Spi, PRO 230, 2040, 3060,
4060, 5060, TZ 100/ TZ 100w, TZ 170, TZ 170 Wireless, TZ 170
SP Wireless, TZ 200/ TZ 200w, TZ 210/ TZ 210w, NSA 240, NSA
2400, NSA 2400MX, NSA 3500, NSA 4500, NSA 5000, NSA
E5500, NSA E6500, NSA E7500, NSA E8500, NSA E8510,
Management, Application control & SSL-VPN logs

Juniper Networks

Juniper SRX series

SRX100, SRX210, SRX220, SRX240, SRX650, SRX1400,

SRX3400, SRX3600, SRX5600, SRX5800

NetScreen series

NetScreen most versions of Web Filter & Spam Modules

IDP, SSL VPN series

4500 & 6500, New Format Logs

ISG series

2000

6360, 8350 series

3Com
IPCop

3Com X-family Version 3.0.0.2090 or later

Stonesoft

Firewall version 5.5

Palo Alto

Palo Alto Firewalls PA 5000 series, PANOS 4.1.0

IPCop Firewall Version 1.4.17 / 1.4.18

Configuring NetScreen Firewall

SureLogsupports most versions of NetScreen Firewall Appliance (OS 3.x, 4.x, 5.x,...). You
can either enable WELF or Syslog format.
Enable Syslog Messages and Disable WebTrends Messages using the NetScreen
Administration Tools Console
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Log in to the NetScreen GUI.

Click Configuration> Report Settings> Syslog in the left pane of the NetScreen GUI.
Select the Enable Syslog Messages check box.
Select the Trust Interface as Source IP for VPN and Include Traffic Log check box.
Type the IP address of the SureLogserver and syslog port (514) in the Syslog Host Name /
Port text box.
All other fields will have default values.
Click Apply to save the changes.
Click Configuration> Report Settings> WebTrends in the left pane of the NetScreen GUI
Clear the Enable WebTrends Messages check box.
Click Apply to save the changes.

In certain versions of NetScreen firewall there is an option to record the completion

11.
of a transaction. Please select this option (if available) in the NetScreen firewall to
enable SureLogto measure the sent and received bytes from the firewall traffic logs.

Uncheck the TCP option. This will make the firewall to send syslogs in the
configured UDP port.

If you would like to send NetScreen logs in WELF to SureLog, the you need to Disable
Syslog Messages and Enable WebTrends Messages in the above steps. For more information,
refer the NetScreen documentation.

Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
Execute the following commands to configure syslog via CLI:
Syngress > set syslog config 10.23.23.2 facilitates local0 local0
Syngress > set syslog config 10.23.23.2 port 514
Syngress > set syslog config 10.23.23.2 log all
Syngress > set syslog enable

Configure/Enable WebTrends for Netscreen Firewall device using CLI Console:

Execute the following commands to configure WebTrends via CLI:
Syngress > set webtrends host-name 10.23.23.2
Syngress > set webtrends port 514
Syngress > set webtrends enable

Configure/Enable SNMP Protocol for Netscreen Firewall device

Using CLI Console:

To add a new SNMP community: (Skip this step, if you have already defined a community)
set snmp community "<community name>" Read-Only Trap-off version {any | v1 | v2c}

To enable the SNMP Manager running in SureLogto make queries to SNMP Agent running in
the firewall:

set snmp host "<community name>" <SureLogIP> [src-interface <interface through which
SureLogis connected>]

Example: The following command example defines the IP address '10.5.1.24' as member of
the SNMP community named 'olympia':
set snmp host "olympia" 10.5.1.24 [src-interface inside]

Enable SNMP manageability on the interface through which the SNMP manager in
SureLogcommunicates with the SNMP agent in the NetScreen device.
set interface <interface name> manage snmp

Using Web UI:

To add a new SNMP community: (Skip this step, if you have already defined a community)

Log in to the Netscreen web interface

Go to Configuration > Report Settings > SNMP > New Community

Enter the following settings:

o
o
o
o
o
o
o

Community Name: <community name>

Permissions:
Write: (select)
Trap: (clear)
Including Traffic Alarms: (clear)
Version: ANY (select)
Hosts IP Address/Netmask and Trap Version:<SureLogIP address>
Click Apply.

To enable the SNMP Manager running in SureLogto make queries to SNMP Agent running in
the firewall:

Go to Configuration > Report Settings > SNMP

Edit community to add SNMP Manager IP <SureLogIP address> and the source
interface (interface through which SureLogconnects firewall) to that community.
Under communities section, you will find the option to edit community. If SNMP
Agent does not have a community, click 'New Community' button and provide
community string, SNMP Manager IP address <SureLogIP address> and the source
interface (interface through which SureLogconnects firewall) to that community.
Click Apply.

Enable SNMP manageability on the interface through which the SNMP manager in SureLog,
communicates with the SNMP agent in the NetScreen device.

Go to Network > Interfaces > Edit (for ethernet1)

Enter the following settings:

o
o

Service Options:<no change>

Management Services: SNMP

Click OK.

Configuring Cisco Devices - PIX/ASA/FWSM/VPN Concentrator

SureLog supports the following versions of various Cisco devices.

Cisco IOS Firewalls:

8xx
18xx
28xx
38xx
72xx
73xx
3005
1900
2911
3925

Cisco FWSM Catalyst Series:

6500
7600

Cisco PIX versions:

6.x
7.x

Cisco ASA:

5500 series
9.1

Cisco VPN Concentrators Series:

3000
3500

Model Family

Model

Cisco IOS Software

Version

c871, c876,
c877,c878

12.4(4)T

c1841

12.3(14)T

c1811, c1812

12.4(4)T

c1801, c1802,
c1803

12.4(4)T

28xx

c2801, c2851,
c2821, c2811

12.3(14)T

38xx

c3845, c3825

12.3(14)T

72xx

7206VXR,
7204VXR

12.3(14)T

73xx

CISCO7301

12.3(14)T

8xx

18xx

To find out the version of your PIX firewall, Telnet to the PIX firewall and enter the show
version command.
Cisco PIX does not create log files, but instead directs a log stream to the syslog
server, which writes the log information into a file. Make sure the syslog server
on SureLog can access the PIX firewall on the configured syslog port. For this,
you may have to make a rule specific to this situation.

Getting logs from Virtual Firewall (Virtual Domain)

Configuring Cisco PIX using Command Line Interface
Configuring Cisco PIX from the User Interface
Configuring SNMP protocol for Cisco PIX using Command Line Interface
Configuring Cisco ASA using Command Line Interface
Configuring SSL WebVPN in Cisco ASA appliance
Configuring Cisco ASA NetFlow Logs
Configuring SNMP protocol for Cisco ASA using Command Line Interface
Configuring Cisco VPN 3000 Concentrator
Configuring Cisco IOS Switch
Configuring SNMP protocol for Cisco Firewalls using ASDM Web UI tool

Virtual Firewall (Virtual Domain) logs

Prerequisite for context/vdom in Cisco Firewalls
The Cisco Firewall IP address should be DNS resolvable from SureLog.
There is no separate configuration required in SureLog for receiving logs from Virtual
Firewalls of the Cisco physical device.

Configuration in Cisco device for Virtual Firewall

In order to support virtual firewalls for Cisco devices, you need to enable logging
based on the context-name. Otherwise it is not possible for SureLog to detect
Virtual Firewalls (vdom) of Cisco devices.
Configuring Cisco PIX using Command Line Interface
1. Telnet to the PIX firewall and enter the enable mode
2. Type the following:
configure terminal
logging on
logging timestamp
logging trap informational
logging device-id {context-name | hostname | ipaddress interface_name
| string text}
logging host interface_name syslog_ip [17/<syslog_port>]

where,

interface_name

is the interface on the PIX firewall whose logs need to be analyzed

("inside" or "outside," for example).

syslog_ip

is the IP address of the syslog server (i.e. SureLog), to which the

Firewall should send the Syslogs.

indicates that logs will be sent using the UDP protocol, to the
configured syslog port on the syslog server. If left blank, the
17/<syslog_port> syslogs are sent through the default syslog port (UDP port 514). If
the logs are sent through any other port, mention it as 17/<the
UDP port number> (For example: 17/1514).
hostname

firewall's host name (defined with the hostname configuration

command). In this case, the hostname will appear in the logs sent
from the Firewall.

ipaddress
interface_name

the IP address of a specific firewall interface named

interface_name ("inside" or "outside," for example). In this
case, the IP Address of the Interface Name will appear in the logs
sent from the Firewall.

string text

an arbitrary text string (up to 16 characters). In this case, the

arbitrary text string you have entered in string <text> will appear
in the logs sent from the Firewall.

context-name

in PIX 7.x or FWSM 2.x operating in multiple-context mode, the

name of the firewall context will appear in the logs sent from the
Firewall.

Example: logging host inside 11.23.4.56 17/1514

To verify your configuration, enter the show logging command after the last command
above. This will list the current logging configuration on the PIX firewall.

Configuring Cisco PIX from the User Interface

Log in to the Cisco PIX user interface, and follow the steps below to configure the PIX
firewall:
1. Enabling Logging
a. Select Configure > Settings > Logging > Logging Setup
b. Select the Enable logging setup and Enable logging failover check boxes
c. Click Apply.
Changes are applied to the assigned PIX firewall configuration files when they are
generated. The configuration files are then downloaded to PIX firewalls at
deployment.
2. Configuring Syslog Server
a. Select Configure > Settings > Logging > Syslog
b. Check Include Timestamp.
c. Click Add to add a row.
d. In the Add Syslog Server page that appears, enter the following:
i.
Interface Name - the firewall interface through which SureLog can be
reached, the interface can be either inside or outside.
ii.
IP Address - the IP address of the syslog server to which logs have to be sent
iii.
Under Protocol, select the UDP radio button
iv.
The default UDP port is 514. If you have configured a different syslog listener
port on your syslog server, enter the same port here.
e. Click Apply
3. Configuring Logging Level
a. Select Configure > Settings > Logging > Other
b. Under Console Level List select Informational so that all report data is available
c. Click Apply

For every transaction happening in Cisco PIX Firewall, an ACL configured in it matches.
The matched ACL along with complete transaction detail is audited through Message-ID
106100. Ensure that the logging is enabled for 'Message-ID 106100' in Cisco PIX Firewall.
For more information about the message ID follow the below link.
d.
http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp108
6617

This message identifier contains the information about both accepted and denied
transactions. The log information is parsed to get the 'Used' rules and is available in the
'Firewall Rules Report > Top Used Rules Report'.

Configure/Enable SNMP Protocol for Cisco PIX Firewall device

Using CLI Console:

To enable the SNMP Manager running in SureLog to make queries to SNMP Agent running in the
firewall:
configure terminal
snmp-server host <interface name> <hostname |IP address of SureLog>

If you want to create a new SNMP community use the below command:
configure terminal
snmp-server community <community-string>

Example:
configure terminal
snmp-server community public

Configuring Cisco ASA Versions

1. Telnet to the ASA firewall and enter the enable mode
2. Type the following:
configure terminal
logging enable
logging timestamp
logging trap informational
logging device-id {context-name | hostname | ipaddress interface_name |
string text}
logging host interface_name syslog_ip [udp/<syslog_port>]

3. If there are no URL Reports available in SureLog for CISCO ASA, enable HTTP inspection by
executing the following command:
inspect http

Enabling HTTP inspection will generate syslogs with ID 304001. This ID will be used
by SureLog to generate URL Reports.
interface_name

is the interface on the ASA Firewall whose logs need to be

analyzed (for example: "inside" or "outside").

syslog_ip

is the IP address of the syslog server (i.e. SureLog), to which the

Firewall should send the Syslogs.

udp/<syslog_port>

indicates that logs will be sent using the UDP protocol, to the
configured syslog port on the syslog server. If left blank, logs will
be sent to the default UDP port 514.

hostname

firewall's host name (defined with the hostname configuration

command)

ipaddress
interface_name

the IP address of a specific firewall interface named

interface_name (for example: "inside" or "outside")

string text

an arbitrary text string (up to 16 characters)

context-name

in PIX 7.x or FWSM 2.x operating in multiple-context mode, the

name of the firewall context can also be sent.

For more information, refer the Cisco PIX documentation.

Configuring Cisco ASA Versions using ASDM

Enable Logging
Carry out the steps given below:

Load the ASDM

Select Configuration > Device Management > Logging > Logging Setup
Select Enable Logging
Select Logging > Logging Filters
Choose the syslog-servers as Informational
Select Logging > Logging Filters > Syslog servers
Click Add
Enter the IP address and choose the appropriate interface and ensure that you choose UDP
and enter the port number
Select Logging > Syslog Setup
Select 'Include time stamp in syslogs' option and scroll down to ensure the syslog ID's
302013, 302014,302015,302016 are in enabled state and the logging level is set to
Informational

Disable Logging
You can disable specific syslog IDs based on your requirement.
Note: By selecting the check mark for the Include timestamp in syslogs option, you can add
the date and time that they were generated as a field to the syslogs.

Select the syslogs to disable and click Edit.

From the Edit Syslog ID Settings window, select the Disable messages option and click OK.
The disabled syslogs can be viewed in a separate tab by selecting Disabled syslog IDs from
the Syslog ID Setup drop-down menu.

For more information, refer the Cisco PIX documentation.

Configuration for SSL WebVPN in Cisco ASA appliance
SureLog requires syslog message IDs 722030 and 722031, which by default is at debug level,
to process Cisco SVC VPN logs. Set the information level to these syslog IDs by executing
below commands in global configuration mode:
hostname(config)# logging message 722030
level 6
hostname(config)# logging message 722031
level 6

You can confirm by executing the below command:

hostname(config)# show logging message
722030

Configuring Cisco ASA NetFlow Logs and Disabling NetFlow on Cisco ASA/ADM using command
line and ASDM
SureLog support NetFlow version 9 packets, which is introduced in Cisco ASA 8.2.1/ASDM
6.2.1.
Configuring ASA device using console mode to send NetFlow version 9 packets to SureLog
is given below:

As SureLog is capable of receiving either Syslog or NetFlow packet from an ASA box, disable
Syslog and enable NetFlow.

To disable Syslog and enable NetFlow execute the following commands:

(config)# flow-export destination inside <SureLog Server IP> 1514
(config)# flow-export template timeout-rate 1
(config)# flow-export delay flow-create 60
(config)# logging flow-export-syslogs disable ---> This command will disable logging syslog
messages
(config)# access-list netflow-export extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)#match access-list netflow-export
Associate global policy map with netflow class map

Option 1

If you have a global policy map, associate the above netflow class-map netflow-export-class
to the global policy.
For example: if your global policy map is named global_policy_asa, you need to execute the
below commands:

(config)# policy-map global_policy_asa

(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type any destination <SureLog Server IP>
if the above command fails use the below:
(config-pmap-c)# flow-export event-type all destination <SureLog Server IP>

Option 2

If you wish to create a new policy map named netflow-export-policy and make this as your
global policy follow the below steps:
(config)# policy-map netflow-export-policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type any destination <SureLog Server IP>
if the above command fails use the one below:
(config-pmap-c)# flow-export event-type all destination <SureLog Server IP>
Make policy map netflow-export-policy as your global policy:
(config)# service-policy netflow-export-policy global
For UI mode configuration using ASDM access, refer the Cisco forum topic:
https://supportforums.cisco.com/docs/DOC-6114

To disable NetFlow on Cisco ASA/ADM execute the following commands:

(config)# flow-export disable
(config)# no flow-export destination inside <SureLog Server IP> 1514
To disable NetFlow on Cisco ASA/ADM using ASDM

Click on Configuration > Firewall

Click on Service Policy Rules. Look for the policy indicating netflow export
Check the IP address if the flow is pointing to the machine where you want to forward syslog.
If so, delete it and write the configuration in to memory (Save it).

Configure/Enable SNMP Protocol for Cisco ASA Firewall device

Using CLI Console:
To enable the SNMP Manager running in SureLog to make queries to SNMP Agent running in the
firewall:

configure terminal
snmp-server enable
snmp-server host <interface name> <hostname | IP address of SureLog> [poll]

Example:
configure terminal
snmp-server enable
snmp-server host inside 192.168.101.155 poll

If you want to create a new SNMP community use the below command:
configure terminal
snmp-server community <community-string>

Example:
configure terminal
snmp-server community public

Configuring Cisco VPN 3000 Concentrator

Currently we support Cisco IOS Compatible Log Format and Original Log Format for
Cisco VPN Concentrator.
Importing of already saved Cisco VPN Concentrator logs is not supported because those logs
are saved in either of the following formats which is not supported in SureLog:

Multi line
Tab Delimited
Comma Delimited

Follow the below steps to configure the VPN Concentrator:

1. Configuring Syslog Server
a. Login to the Cisco VPN 3000 Concentrator Management console.
b. Go to Configuration > System> Events >Syslog Servers
c. Click the Add button
d. In the Syslog Server text box enter the IP Address of the machine where SureLog is
running.
e. Enter the Port value. The default syslog server port for SureLog is 514.
f. Facility is Local 7
2. Configuring Syslog Events
a. Go to Configuration > System> Events >General
b. For Syslog Format you can either select Original or Cisco IOS Compatible format.
c. For Events to Syslog select Severities 1-5
d. All other configurations are default for this page.
e. Click Apply button

For more information, refer the Cisco VPN Concentrator documentation.

Configuring Cisco IOS Switch

Follow the below steps to configure the Cisco IOS Switch:
1. Login to the Cisco IOS console or Telnet to the device.
2. Change the configuration mode of the device.

Use the following command:

configure terminal
3. Enable logging by using the following commands:
logging on
logging trap informational
logging <IP Address>
4. If there is a Firewall module in the IOS device, use the following command to enable audit
trail. This will generate traffic information.
ip inspect audit-trail
For more information, refer the Cisco IOS Switch documentation.

Configure/Enable SNMP Protocol for Cisco Firewall devices using Cisco ASDM tool
Using Web UI:
Configure SNMP parameters for SNMP Versions 1 and 2c
Carry out the following steps:

In the ASDM main window, select Configuration > Device Management > Management
Access > SNMP
In the Community String (default) field, enter default community string. This applies to
SNMP Versions 1 and 2c only
Fill appropriate values in Contact and Location fields
In the Listening Port field, enter the port number of the security appliance that listens for
SNMP requests from management stations; or retain the default port number 161
Click Apply

With this, SNMP parameters for Versions 1 and 2c are configured and the changes are saved
to the running configuration.
To enable the SNMP Manager running in SureLog to make queries to SNMP Agent running
in the firewall:

In the ASDM main window, choose Configuration > Device Management > Management
Access > SNMP
In the SNMP Management Stations pane, click Add. The Add SNMP Host Access Entry dialog
box appears
In the Interface Name drop-down list, choose the interface on which the SureLog resides
In the IP Address field, enter the SureLog IP address
In the UDP Port field, enter the SureLog UDP port, or retain the default port 162
In the Community String field, enter the SureLog community string. If no community string is
specified for a management station, the value set in the Community String (default) field on
the SNMP Management Stations pane is used
In the SNMP Version drop-down list, choose the SNMP version used by the SureLog
If you have selected SNMP Version 3 in the previous step, in the Username drop-down list,
choose the name of a configured user
To specify the method for communicating with this management station, check the Poll
check boxes
Click OK. The Add SureLog Access Entry dialog box closes.
Click Apply.

With this, the management station is configured and changes are saved to the running
configuration.
Configure SNMP Parameters for Version 3:
SNMP Version 3 allows you to configure additional authentication and privacy options for
more secure protocol operations by means of SNMP server groups and users.
Carry out the following steps:

In the ASDM main window, choose Configuration > Device Management > Management
Access > SNMP
In the SNMPv3 Users pane, to add a configured user or a new user to a group, click Add. To
change user parameters, click Edit. To remove a configured user from a group, click Delete.
When you remove the last user in a group, ASDM deletes the group

Note:
Once a user is created, you cannot change the group to which the user
belongs.

The Add SNMP User Entry dialog box appears

In the Group Name drop-down list, choose the group to which the SNMP user will belong.
The available groups are as follows:
o Auth&Encryption, in which users have authentication and encryption configured
o Authentication_Only, in which users have only authentication configured
o No_Authentication, in which users have neither authentication nor encryption
configured
In the Username field, enter the name of configured user or new user. The username must
be unique for the SNMP server group selected
To have the password encrypted, click the Encrypt Password radio button. If you choose this
option, you must enter the password as MD5 hash value.
Indicate the type of authentication you want to use by clicking the appropriate radio button:
MD5 or SHA
In the Authentication Password field, type the password to use for authentication

Indicate the type of encryption you want to use by clicking the appropriate radio button: DES
or 3DES, or AES
If you chose AES encryption, from the AES Size drop-down list, specify which level of AES
encryption to use: 128 or 192 or 256
In the Encryption Password field, type the password to use for encryption. The maximum
number of characters allowed for this password is 64
Click OK to create a group (if this is the first user in that group), display this group in the
Group Name drop-down list, and create a user for that group. The Add SNMP User Entry
dialog box closes
The SNMPv3 Users pane lists the following information: SNMP Version 3 server group name,
name of the user that belongs to the specified group, encrypted password setting,
authentication setting, encryption algorithm setting, and the AES size setting
Click Apply

With this, SNMP parameters for Version 3 are configured, and the changes are saved to the
running configuration.

Configuring Microsoft ISA Server

SureLog supports Microsoft Internet Security and Acceleration (ISA) Server 2000,2004, &
2006.

Supported ISA Log Formats in SureLog:

SureLog supports W3C extended log file format for Packet filters, ISA Server
Firewall Service, and ISA Server Web Proxy Service. ISA Server File log
format is supported for ISA Server Web Proxy Service only.
Configuring Microsoft ISA Server
1. Open the "ISA Management" console.
2. Select "Monitoring Configuration" from the left-hand side console tree, and then select the
"Logs" folder.
3. In the "Logs" folder, right click on each of the listed component (like Packet filters, ISA Server
Firewall Service, ISA Server Web Proxy Service), select "Properties" and set the log format to
W3C extended log file format.

For more information, refer the Microsoft ISA Server documentation.

You can schedule the import of logs using localhost. You can share the ISA log folder and can
map it to network drive of SureLog server. Then, you can schedule the local import to import

periodically.
In case if you are running SureLog as a service, you should ensure that SureLog has enough
permission to access the file in shared folder.
If you want SureLog to periodically import the ISA Server logs use FTP import provision in
"Remote Host", with the time interval less than the time interval set in the ISA Server.

We recommend Local Import Schedule option over Remote Host FTP Import option.

SureLog handles Dynamic Filename change of ISA Server log files.

Micosoft ISA Proxy server creates log file with new name (with time stamp appended)
everyday. If the Micosoft ISA Proxy log files are to be imported, you do not have to
change the filename daily, instead select the Change filename dynamically option
while importing the logs. Selecting the option displays the the Filename pattern: text
box to enter the time stamp pattern that the Proxy server appends when the Proxy
server creates the log file daily. A help tip icon displays, (when you hover the mouse
on the icon) the mapping of the Timestamp in Filename to the Pattern to be given.
Enter the pattern as required.

Configuring Microsoft ISA Server 2004 & 2006

By default Microsoft ISA Server 2004 & 2006 stores log files into MSDE databases
(Microsoft SQL Desktop Engine).

Log files options placement in ISA Management Console 2004 & 2006

In order to switch log files format from MSDE to W3C please do the following:

Run ISA Management Console

Select Monitoring item on the left pane
Select Logging tab on the center pane
Select Tasks tab on the right pane

You will need to change log files format for Firewall and Web proxy. Please choose
Configure Firewall Logging and Configure Web Proxy Logging items and perform actions
shown below for each.

Log file format settings for Firewall and Web Proxy

Check on File option. In the dropdown list select W3C extended log file format. Enable
logging for this service option should be enabled. If you want to change log files location,
press Options button, another dialog will appear where you can change the log files path,
Compress log files and Delete log files older than should remain disabled. Select Fields tab
and check that all necessary fields are enabled. Please see table below for the list of necessary
fields.

Necessary Fields

Firewall log files

Web proxy log files

Log Date
Log Time
Transport
Client IP and port
Destination IP and port
Action
Protocol
Bytes sent
Bytes sent Delta
Bytes recevied
Bytes recevied Delta
Client Username
Client Agent

Client IP
Client Username
Client Agent
Log Date
Log Time
Bytes Recevied
Bytes Sent
Protocol
URL
Object source
HTTP Status Code

ProxyInspector work only with log files since access to the log files is significantly faster than
access to SQL databases(nevertheless you can import data from existing MSDE databases
using Database | Move data from ISA 2004 & 2006 MSDE databases). ProxyInspector
supports both W3C and ISA Native log files formats. Recommended format is W3C.

Configuring CyberGuard

SureLog supports CyberGuard Firewall v4.1, 4.2, 4.3, 5.1

Configuring CyberGuard
On the Cyberguard Firewall Configuration console do the following.
1.
2.
3.
4.

Click Configuration and select Alerts and Activities.

Select Activity Reports in WebTrends format to send it via syslog.
Select facility and severity.
Type the SureLog IP to which CyberGuard should write the syslog information.

You can select WebTrends log format for Audit logs too. Either you can send the syslogs to
the default listener ports (514 or 1514) of SureLog

Configuring Cyberoam
SureLog supports Cyberoam Firewall Version: 9.5.4 build 66 onwards
Configuring Cyberoam
On the Cyberoam Firewall Web Admin Console do the following.
1. Select System > Logging > Manage Syslog
2. Specify unique name for Syslog server
3. Specify IP address and port of the syslog server. Cyberoam will send logs to the configured IP
address. The default port is 514
4. Select Facility. Facility indicates the source of a log message to the syslog server. You can
configure Facility to distinguish log messages from different Cyberoam Firewalls
5. Select the Severity level of the messages logged. Severity level is the severity of the message
that has been generated

Cyberoam logs all messages at and above the logging severity level you select.
For example, select ERROR to log all messages tagged as ERROR, as well
as any messages tagged with CRITICAL, ALERT and EMERGENCY
and select DEBUG to log all messages.
Note: SureLog requires the severity level as 'INFORMATIONAL'.

6. Click Create to save the configuration.

Also you need to enable logging on each rule to monitor allowed and denied traffic. Please
follow the below steps.

Click Log Traffic to enable/disable traffic logging for the rule. Ensure firewall rule logging is in
On/Enable state in the Logging Management. Refer to Cyberoam Console Guide, Cyberoam
Management for more details.
To log the traffic permitted and denied by the firewall rule, you need to keep On/Enable
state in the firewall rule logging from the Web Admin Console > Firewall rule and from the
Telnet Console > Cyberoam Management.
Specify full description of the rule, displays full description of the rule, modify if required.

Click Save to save the rule.

Configuring D-Link Devices

SureLog supports Cyberoam Firewall Version: 9.5.4 build 66 onwards
Configure D-Link Devices
To configure D-Link device to forward syslogs to SureLog, carry out the procedure given
below.
1. Navigate to System > Log and Event Receivers > Add

2. Select 'Syslog Receiver' and configure the following:

Name: syslog_client

IP Address: 192.168.1.30 (In this case IP address of SureLog host machine is

192.168.1.30)

Facility: local0 (default)

Port: 514 (default)

3. Select Severity filter

4. Configure SNMP
Navigate to System > Log and Event Receivers > Add again to add a SNMP2c
Event receiver as given below in the image:

Name: SNMP_Trap
IP Address: 192.168.1.30 (In this case IP address of SureLog host machine is
192.168.1.30)
Port: 162
Repeat Count: 0
Community: public

5. If syslog count goes beyond 2000 logs/second, navigate to System > Log and Event
Receivers > Advanced Settings

Configuring Fortinet Firewalls

SureLog supports the following versions of FortiGate:

FortiOS - v2.5, 2.8, 3.0 and 5.0

Fortinet - 50,100, 200, 300, 400, 800

Fortigate - 1000, 5000 series

Firmware v2.26 or later is required

Virtual Firewall (Virtual Domain) logs

There is no separate configuration required in SureLog for receving logs from Virtual
Firewalls of the Fortinet physical device. For configuring High Availablity for FortiGate
Firewall with vdoms, refer the procedure given below.

Prerequisite to support vdom

In order to get the vdom support for Fortigate Firewall, ensure that the log format selected is
Syslog instead of WELF.

If SureLog is unable to receive the logs from the Fortigate after configuring from UI, please
carryout the steps to configure it through command prompt
To determine the version number of the Fortigate that you are running, use the command: get
system status
Configuring the FortiGate Firewall
Follow the steps below to configure the FortiGate firewall:
1. Log in to the FortiGate web interface
2. Select Log & Report > Log Setting or Log & Report > Log Config > Log Setting
(depending on the version of FortiGate)
3. If you want to export logs in WELF format:

Select the Log in WebTrends Enhanced Log Format or the WebTrends

checkbox (depending on the version of FortiGate)

Enter the IP address of the syslog server

Choose the logging level as Information or select the Log All Events checkbox

(depending on the version of FortiGate)

4. If you want to export logs in the syslog format (or export logs to a different configured
port):

Select the Log to Remote Host option or Syslog checkbox (depending on the
version of FortiGate) Syslog format is preffered over WELF, in order to support
vdom in Fortigate firewalls.

Enter the IP address and port of the syslog server

Select the logging level as Information or select the Log All Events checkbox
(depending on the version of FortiGate)

Select the facility as local7

5. Click Apply

Do not select CSV format for exporting the logs.

Configuring RuleSets for Logging Traffic

Follow the steps below to configure rulesets for logging all traffic from or to the FortiGate
firewall:
1. Select Firewall > Policy
2. Choose a rule for which you want to log traffic and click Edit. You can configure any traffic
to be logged separately if it is acted upon by a specific rule.
3. Select the Log Traffic checkbox
4. Click OK and then click Apply

Repeat the above steps for all rules for which you want to log traffic.
For more information, refer the Fortinet documentation.

If SureLog is unable to receive the logs from the Fortigate after configuring from UI,
please carryout the steps to configure it through command prompt
(For the models like Fortigate 60, Fortigate 200, etc.)
Please follow the steps to enable the device to send the logs to SureLog.

Start CLI on the Fortigate firewall.

Execute the following commands to enable Syslog:

Enable syslog:
config log syslogd setting<cr>

set server (ip address)<cr>

set status enable<cr>
end<cr>

Execute the following commands to enable Traffic:

Enable traffic:
config log syslogd filter<cr>
set severity information<cr>
set traffic enable<cr>
set web enable<cr>
set email enable<cr>
set attack enable<cr>
set im enable<cr>
set virus enable<cr>
end <cr>
Type "show log syslogd filter" to list all available traffic.

Stop and start the SureLog application/service and check if you are able to receive the
Fortigate Firewall packets in SureLog.
In Fortigate OS v5.0, there is an option to send syslog using TCP. If SureLog is not getting
logs from Fortigate, please check Fortigate OS version. If it is v5.0 or above, ensure option
'reliable' is disabled in syslog config. Then it will use UDP.
Syslog setting can only be done through CLI mode. There is no option in UI.
Ref :http://docslegacy.fortinet.com/fgt/handbook/cli_html/FortiOS%205.0%20CLI/config_log.16.14.html

Configure/Enable SNMP Protocol for Fortigate Firewall device

Using CLI Console:
Ensure SNMP is enabled in Fortigate box by using the below command:

get system snmp sysinfo

If it is disabled, enable it by using the below commands:

config system snmp sysinfo
set status enable
end
To enable the SNMP Manager running in SureLog to make queries to SNMP Agent running
in the firewall:
config system snmp
edit <SNMP Community ID>
config hosts
edit <SNMP Community ID>
set interface <Interface through which SureLog is connected to Firewall>
set ip <SureLog machine IP address>
end
end
To ensure the source interface that connects SureLog to Firewall device allows SNMP traffic,
execute the below command:
get system interface <interface name>
To allow SNMP traffic through the source interface use the below command:
config system interface internal
set allowaccess <proto1 proto2 SNMP>
end

Using Web UI:

Log in to the FortiGate web interface
Go to System > Config > SNMP v1/v2c
Select Enable for the SNMP Agent
Enter Description, Location and Contact information.
Click Apply.

If you already have a SNMP community, edit it to provide SureLog (SNMP Manager)
IP address. Also specify the source interface through which SureLog connects to
Firewall.

If you want to add a new SNMP community, click 'Create New' button and enter
Community Name. Provide SureLog (SNMP Manager) IP address and the source
interface through which SureLog connects to Firewall.

To activate SNMP traffic in the source interface:

Go to System > Network > Interface.
For the interface allowing SNMP traffic, select Edit.
Select SNMP for Administrative Access.
Select OK.
Configure Fortigate in High Availability Mode:
In case of Fortigate Firewalls , device_id is considered as resource name in SureLog. In the
High Availability mode, eventhough both active and standby Firewalls have the same name,
the device_id will be different. So, SureLog displays them as two devices. To avoid this, you
can configure the device name (devname) of standby Firewall as device_id of active Firewall.
Syslogs from the FortiGate Firewall will transmit the serial number of the device as the value
of device_id field and the host name as the value of the device name (devname) field.
Example:
Active Firewall log: <189>date=2011-09-28 time=13:14:58 devname=DSAC456Z4
device_id=FGT80G3419623587 log_id=0021000002
Standby Firewall log: <188>date=2011-09-28 time=13:14:59 devname=FGT80G3419623587
device_id=FGT80G4534717432 log_id=0022000003

Configuring WatchGuard Firebox

SureLog supports both WELF and native log formats of WatchGuard Firebox Models v 5.x,
6,x, 7.x, 8.x, 10.x, 11, Firebox X series, x550e, x10e, x1000, x750e, x1250e Core and
Fireware XTM v11.3.5

Virus reports are supported only for WatchGuard v10.x

For analysing native logs, the configuration is straight forward, you just need to forward the
native logs from WatchGuard to the syslog listener ports of SureLog.

By default, WatchGuard Firewall logs do not contain the bytes information. It just has the size
of the packet and header. So one needs to do the following to enable them,

For version 7.3 , you need to go into General Setting area of your proxy and select
the check box Send log message with summary of each transaction.

For version 7.2.1, you need to select the check box Log accounting/auditing
information in your proxy service.

For version 8.x , you need to select the check box Send a log message with
summary information for each transaction in your proxy service.

For version 10.X,

For External and VPN interface based logging:

Open Policy Manager.

Select the Setup > Logging > Performance Statistics menu,

enable check box and save configuration.

For proxy level tracking:

Edit the proxy action and select the check box Turn on logging for
reports for each desired proxy and save configuration

Device configuration for Firebox X1250e, XTM 11 series

Send Log Information to a Syslog Host

To configure the Firebox or XTM device to send log messages to a syslog host, you must
have a syslog host configured, operational, and ready to receive log messages.

In Policy Manager of WatchGuard device, select System > Logging.

The Logging page appears.

Select the Syslog Server tab.

Select the Enable Syslog output to this server check box.

In the Enable Syslog output to this server text box, type the IP address of the
syslog host.

In the Settings section, to select a syslog facility for each type of log message, click
the adjacent drop-down lists.
If you select NONE, details for that message type are not sent to the syslog host.

Click Save.

For more details, refer the links given below:

http://www.watchguard.com/forum/default.asp?action=9&boardid=15&read=44135&fid
=671

http://www.watchguard.com/help/docs/webui/11/en-US/index_Left.html#CSHID=enUS%2Flogging%2Fsend_logs_to_syslog_host_web.html|StartTopic=Content%2FenUS%2Flogging%2Fsend_logs_to_syslog_host_web.html|SkinName=Web%20UI%20%2
8en-US%29

Bytes Information for WatchGuard:

Please follow the steps and configure the same in the Watchguard device to resolve the
issue.

Ensure that your Watch Guard policies are created with Proxy Action and then follow
the steps

Action > Proxies and add the new policy as per your requirement

Please follow the Steps to enable bytes information in the logs:

For External and VPN interface based logging:
Setup > Logging > Performance Statistics. Enable check box and save configuration.
For proxy level tracking, edit the proxy action and select 'Turn on logging for reports'
for each desired proxy and save configuration.

Please refer the link of the forum post reply for your reference.
http://www.watchguard.com/forum/default.asp?action=9&boardid=2&read=19115&fid=
43

Please refer WatchGuard website/WatchGuard forums for detailed information.

You can also configure WatchGuard to export the logs in WebTrends Enhanced Log File (WELF)
format, refer WatchGuard documentation for configuring WELF format in WatchGuard Firewalls.

Configuring Snort
1. Shutdown the Snort server, if it is running.
2. Login as root if you installed Snort in Linux machine.
3. In snort.conf file (available at /etc/snort/snort.conf in linux and
c:\Snort\bin\snort.conf in windows) uncomment the line that contains output
information_syslog and enter the logging facility and the desired detail level (for
example: output alert_syslog:host=hostname:port, LOG_AUTH LOG_ALERT)
4. Add the line config show_year to ensure that year has been included in the alerts
generated by Snort.
5. Save and exit the snort.conf file.
6. In Linux(only) edit the syslog.conf file in the /etc directory.
7. Append *.* @<server_name> at the end, where <server_name> is the name of the
machine on which SureLog is running.
8. Save the configuration and exit the editor.
9. Restart the syslog service on the host using the command:
/etc/rc.d/init.d/syslog restart

10. Restart the Snort server with -M option.

Configuring Sidewinder
1. Open /etc/sidewinder/auditd.conf
2. Add the following line at the end of the file, to configure syslog to use the Sidewinder
Export Format (SEF):

syslog (local0 filters[NULL] sef)

You can use local0 through local7 as names for the facility; they are predefined in
syslogd.
3. Save the configuration and exit the editor.
4. Open /etc/syslog.conf
5. Append local0.* @<server_name> at the end, where facility local0 matches the facility
mentioned in step 2 and <server_name> is the name of the machine where SureLog is
running.
6. Save the configuration and exit the editor.
7. Look up syslogs process ID by entering the following command:

pss syslog
Implement the changes by restarting the syslogd and auditd processes, using the following two
commands:

kill -HUP <syslog process ID>

cf server restart auditd

Configuring SonicWALL
Configuring SonicWALL To Direct Log Streams
1. Log in to the SonicWALL appliance
2. Click Log on the left side of the browser window

3. Select the Log Settings tab

4. Type the IP address of the SureLog server in the Syslog Server text box
5. Click Update at the bottom of the browser window

Configuring SonicWALL Logging Level

1. Log in to the SonicWALL appliance
2. Click Log on the left side of the browser window
3. Select the View tab
4. Select the Logging Level as Informational from the combo box
5. Click Update at the bottom of the browser window

For more information, refer the SonicWALL documentation in the URL given below:
http://help.mysonicwall.com/sw/jpn/2907/ui2/42600/Help/42_Log_Reporting.html

Whenever you create an access rule in the SonicWALL Firewall, ensure that 'Enable
Logging' check box is selected for the particular rule. For more information refer the URL
http://www.techrepublic.com/article/how-do-i-configure-firewall-security-on-a-sonicwalldevice/6124340
Restart the SonicWALL appliance for the changes to take effect.

Configuring Juniper Devices

Configuring to send Syslog Messages from SRX device

Using J-Web
1. Log in to the Juniper SRX device.
2. Click Configure > CLI Tools > Point and Click CLI in the Juniper SRX device.
3. Expand System and click Syslog.
4. In the Syslog page, click Add New Entry placed next to 'Host'.
5. Enter the IP address of the remote Syslog server (i.e., SureLog).
6. Click Apply to save the configuration.

Using CLI
1. Log in to the Juniper SRX device CLI console.
2. Execute the following command:
user@host# set system syslog host <IP address of the remote Syslog server (i.e., SureLog)> any any

To enable logging for Security policy:

Using J-Web

Select Configure > Security > Policy > FW Policies.

Click on the policy for which you would like to enable logging.

Navigate to Logging/Count and in Log Options, select Log at Session Close Time.

Using CLI
1. Log in to the Juniper SRX device CLI console.
2. Execute the following command:

user@host# set security policies from-zone trust to-zone untrust policy permit-all
then log session-close

Juniper Networks IDP Device (version IDP 50)

Configuring to send Syslog Messages directly from Sensor
1. Log in to the Juniper Networks IDP device.
2. Click Device > Report Settings > Enable Syslog in the Juniper Networks IDP device.
3. Select the Enable Syslog Messages check box.
4. Click Apply to save the changes.

This configuration will generate syslogs for:

All attacks

Policy load

Restart

This configuration will not provide:

Profiler logs

Device connect/disconnect logs

Interface UP/DOWN logs

Logs for Bypass State Changes

Configuring to send Syslog Messages from NSM

1. Log in to NSM.
2. Click Action Manager > Action Parameters > Define a Syslog Server in the NSM.
3. Click Action Manager > Device Log Action Criteria > Category in the NSM.
4. Select Category = all and Actions = syslog enable
5. Click Apply to save the changes.

This configuration will generate syslogs for:

All attacks

Policy load

Restart

Profiler logs

Device connect/disconnect logs

This configuration will not provide:

Interface UP/DOWN logs
Logs for Bypass State Changes

Configuring 3Com
Obtaining Log Information
To create a SureLog firewall profile, you must specify the log file location. 3Com firewalls do
not create a log file. Instead, they direct a log stream to a syslog server which writes the log
information to a file.

Note: The SureLog Server(s) can be anywhere on the Network.

X-Family Remote SysLog Configuration

To ensure that all the relevant syslog traffic is sent to the SureLog, the X-family device needs
configuration on several pages of the LSM. Enable remote syslog on the X-Family device,
and configure it with the information required to communicate with the SureLog Server(s).
1. Open a web browser browse to X-family device internal interface.
2. Login and navigate to System > Configuration > Syslog Servers.
3. Configure all four logs to be sent to the SureLog.

4. Click Apply.
5. Navigate to IPS > Action Sets > Notification Contacts > Remote System Log and
complete the form as shown below.

6. Click Add to table below.

7. Click Apply.
8. Navigate to Firewall > Firewall Rules and click Create Firewall Rule. Complete the
form as shown below.

Note that later versions of TOS do not have separate checkboxes for Enable local logging
and Enable syslog logging they just have a checkbox for Enable logging which enables
both.
9. Click Create. A new rule will be created at the bottom of the table.
10. Click Create Firewall Rule. Complete the form as shown below.

11. Click Create. A new rule will be created at the bottom of the table.

Please note that these last two rules must remain the last two rules in the Firewall Rule table.
They replace two implicit hidden rules that are always present but do not support logging.

12. Click the pencil icon next to the first rule in the Firewall Rule table. This will open the rule
for edit, as in the example below.

13. Click the Enable syslog logging checkbox as shown, then click Save.
14. Repeat steps 12 and 13 for all the Firewall Rules until syslog logging is enabled on them all.

Troubleshooting Operation with SureLog

The SureLog home page shows the Dashboard which is an overview of all the devices that
are being monitored, showing traffic levels and security events that have been reported. The
X-family device should appear here. If it does not, see the troubleshooting section below.

The following is a list of things to check if the SureLog does not operate correctly:
1. Check the syslog server settings on the X-family device are configured to point to the IP
address of the SureLog Server.
2. Check that the SureLog Server is listening on the same port (usually UDP 514) as the Xfamily syslog client is sending on.
3. Check that any firewall device between the X-family and the SureLog Server has a rule
permitting traffic for UDP port 514.
4. Check that there is no syslog daemon running on the same PC as the SureLog Server or
it will take over port 514 which will stop the syslog data from going to the SureLog Server.
5. Traffic through the X-family device will only be counted if it is subject to a Firewall Rule and
syslog logging is enabled for that rule. For example traffic will not be counted if:

- it is passing between hosts in the same security zone

- it is passing over a VPN or GRE tunnel to a host which is in the same zone as is used to
terminate the VPN or GRE tunnel.
Events will not be generated for hidden firewall rules. At the time of writing, there are two
implicit hidden firewall rules that are not displayed but act as if they were the last two rules in
the Firewall Rule table. These are:
Permit from this-device to ANY zone ANY protocol
Block from ANY zone to ANY zone ANY protocol
These rules do not generate log entries or syslog messages.
To enable the SureLog to monitor events that would be generated by these rules, two explicit rules
must be created as the last two rules in the Firewall Rule table and syslog logging must be enabled
on both of them.

Configuring the Syslog Service on a UNIX Host

1. Login as root user and edit the syslog.conf file in the /etc directory.
2. Append *.*<space/tab>@<server_name> at the end, where <server_name> is the
name of the machine on which SureLog is running.
3. Save the configuration and exit the editor.
4. Edit the services file in the /etc directory.
5. Change the syslog service port number to 514, which is one of the default listener
ports of SureLog. But if you choose a different port other than 514 then
remember to enter that same port when adding the host in SureLog.
6. Save the file and exit the editor.
7. Restart the syslog service on the host using the command:
/etc/rc.d/init.d/syslog restart

For configuring syslog-ng daemon in a Linux host, append the following entries
destination SureLog{ udp("<server_name>" port(514)); };
log { source(src); destination(SureLog); };

at the end of /etc/syslog-ng/syslog-ng.conf, where <server_name> is the ip address

of the machine on which SureLog is running.
Configuring the Syslog Service on a HP-UX/Solaris/AIX Host
1. Login as root user.
2. Edit the syslog.conf file in the /etc directory as shown below.
*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;*.debug <tabseparation>@<server_name>;

For Solaris host, it is just enough to include *.debug<tabseparation>@<server_name> in the syslog.conf file.
3.
where, <server_name> is the name of the machine where SureLog server or
Service is running. Just ensure that only a tab separation alone is there in
between *.debug and @<server_name>.
4. Save the configuration and exit the editor.
5. Edit the services file in the /etc directory.

6. Change the syslog service port number to 514, which is one of the default listener
ports of SureLog. But if you choose a different port other than 514 then
remember to enter that same port when adding the host in SureLog.
7. Start the syslog daemon running on the OS. You need to just execute the below
command.
Usage : /sbin/init.d/syslogd {start|stop}

Command to be executed :
(for HP-UX) /sbin/init.d/syslogd start
(for Solaris) /etc/init.d/syslog start
(for IBM AIX) startsrc -s syslogd

Configuring IPCop Firewalls

Configuring IPCop To Send Audit Data To SureLog
1. Open the Log Settings Administrative Web Page
2. Log Settings: This page allows you to control how the logs are displayed, specify the
detail level and how long the log summaries are kept for, and control remote logging.
3. Click the Save button after making any changes to save the settings and restart the
syslogd daemon.
4. Sort in reverse chronological order: Check the Sort in reverse chronological order
checkbox if you want to see recent events at the top of a page, rather than at the bottom.
5. Lines per page: Select the number of log entries to display on a page from the Lines per
page drop down menu. This can vary from between 15 and 500. Be aware that a large
number of lines will take longer to process and display on slower hardware.
6. Keep summaries for n days: You can choose how long the logwatch summaries are kept
on IPCop. If you are short of disk space, reduce the number of days.
7. Detail level: You can choose between Low, Medium and High levels of detail in the
logwatch summaries from the Detail level drop down menu.
8. Remote logging: Select the Enabled checkbox to allow logging to a remote syslog
server.
9. Specify the hostname or hostname.domainname or IP Address of the remote server in the
Syslog server field provided. All logs will be forwarded to that server.
10. Remember to click the Save button after making any changes.

Configuring Stonesoft Firewall

Configuring Stonesoft firewall to send syslog to SureLog
1. Stop the Stonesoft log server service
2. Open the LogServerConfiguration.txt in the Stonesoft installation directory
3. Change the below attributes
Attributes

SYSLOG_EXPORT_FORMAT

SYSLOG_PORT

SYSLOG_SERVER_ADDRESS

Values
Set this attribute
to CEF
Default UDP port
is 514, retain it
IPv4 address of
SureLog server

To set the Logging options for Access rules

1. Start the Stonesoft log server service
2. Login to the Stonesoft firewall's GUI
3. Enable the Log Accounting Information against the rules. This provides both open and
connection logs
4. Go to IPV4 tab and edit the access rules
5. Double-click the Logging cell. The logging options dialog opens.
6. Set the options as explained in the table below
Option
No log

Normal log
Connection
Closing
Log Accounting

Description
No log entries are created when connections are closed
Both connection opening and closing are logged, but no
information is collected on the volume of traffic

Both connection opening and closing are logged and

information on the volume of traffic is collected. This
option is not available for rules that issue Alerts.

Information

If you want to create reports that are based on traffic

volume, you must select this option for all rules that allow
traffic that you want to include in the reports
The Stonesoft firewall will now send syslog data to SureLog.
How to enable IPS logging?
Change SYSLOG_EXPORT_IPS attribute value to YES. Default setting is: NO
SYSLOG_EXPORT_FW=YES
SYSLOG_EXPORT_IPS=NO

Restart the log server.

How to enable URL logging?
To enable deep inspection on access rule with HTTP protocol,
Right click on the Action Cell, select Edit Options > under Connection Tracking tab, select
'Override Inspection Options Set With Continue Rules' and select 'Deep Inspection'.
URL logging in Stonesoft firewall is controlled with 'Logging of accessed URLs' setting on
HTTP service protocol parameters. If you enable this, accessed URLs are logged.
If the HTTP connection matches access rule that uses HTTP service where URL logging is
enabled, but deep inspection is disabled, the URL is written to 'Information Message' field on
'HTTP_URL-Logged' type log entry
If the HTTP connection matches access rule that uses HTTP service with URL logging
enabled, and deep inspection is enabled, the URL is written to two fields 'HTTP Request Host'
and 'HTTP Request URI'. First one contains the access host name (e.g., www.example.com),
and the second one contains the URI accessed (e.g., /something/here/page.php), which means
that accessed address was www.example.com/something/here/page.php
The 'Information Message' field is firewall log entry field should be imported in eScope
configuration as INFO_MSG field is one of the fields defined in syslog config file:
SYSLOG_CONF_FILE=${SG_ROOT_DIR}/data/fields/syslog_templates/default_syslog_co
nf.xml
<datatypeinfo>
<exportable_field_list>
<version> 1 </version>
<name>Export list - Default</name>
<fieldreflist>
...
<fieldref> INFO_MSG </fieldref>
...
</fieldreflist>
</exportable_field_list>
</datatypeinfo>
'HTTP Request Host' and 'HTTP Request URI' fields are IPS log entry fields generated by
deep inspection. These are currently not set as exported fields in eScope configuration, but
can be added as additional exportable fields in default_syslog_conf.xml file's list of
exportable fields:
<fieldref> HTTP_REQUEST_HOST </fieldref>
<fieldref> HTTP_REQUEST_URI </fieldref>
Configuring Palo Alto

Configure Palo Alto Syslog Server Setup

1. Select the Device tab and add the Syslog server profile
2. Add the profile to log settings for informational level
3. Apply log forwarding to utilize new profile
4. Enable the Security policy to forward logs using the new Syslog profile

Configuring Cisco IronPort Proxy Server

For Cisco IronPort v and above carry out the following configuration:

Log in to the UI

Click 'System Administration' tab

On the left side pane, select 'Log Subscriptions'

Click whichever log subscription you want to forward to SureLog

Select logging level as 'informational'

In the same window, under 'retrieval method', select the option 'Syslog Push' and mention the IP
address of the SureLog sever and select the port as UDP

Configuring Squid Proxy Server

For Squid v2.7 and above carry out the following configuration:
Carry out the following changes in the services file:

Edit the services file in the /etc directory

Check the port in the syslog server settings UDP 514/1514 is UP

Save the file and exit the editor

Device Side Configuration

Open the squid.conf file and find the below command:

access_log <location of file> squid
Append the new command after the above command:
access_log udp://<SureLog IP Address>:514/1514 squid

Restart the Squid Service

For Squid v2.6 carry out the following configuration:

Device Side Configuration

Open the squid.conf file and find the below command:

access_log <location of file> squid
Append the new command after the above command:
access_log syslog squid

Restart the Squid Service

Carry out the following changes in the syslog.conf file:

Login as root user and edit the syslog.conf/rsyslog.conf file in the /etc directory

Append *.*<space/tab>@<server_name> at the end, where <server_name> is the name

of the machine on which SureLog is running

Save the configuration and exit the editor

Carry out the following changes in the services file:

Edit the services file in the /etc directory

Check the port in the syslog server settings UDP 514/1514 is UP

Save the file and exit the editor

Restart the syslog service on the host using the command:

/etc/rc.d/init.d/syslog restart

Configuring syslog-ng daemon in a Linux host

Append the following entries at the end of syslog-ng.conf file in the /etc/syslog-ng/
directory:

destination surelog { udp("<server_name>" port(514)); };

log { source(src); destination(surelog); };

where <server_name> is the IP address of the machine on which SureLog is running.

Restart syslog service

Configuring the Syslog Service on VMware

All ESX and ESXi hosts run a syslog service (syslogd) which logs messages from the
VMkernel and other system components to a file.
To configure syslog for an ESX host:
Neither vSphere Client nor vicfg-syslog can be used to configure syslog behavior for an ESX
host. To configure syslog for an ESX host, you must edit the /etc/syslog.conf file.
To configure syslog for an ESXi host:
On ESXi hosts, you can use the vSphere Client or the vSphere CLI command vicfg-syslog to
configure the following options:
o
o

Log file path: Specifies a datastore path to the file syslogd logs all
messages.
Remote host: Specifies a remote host to which syslog messages are
forwarded. In order to receive the forwarded syslog messages, your
remote host must have a syslog service installed.
Remote port: Specifies the port used by the remote host to receive syslog
messages.

To configure syslog using vSphere CLI command :

For more information on vicfg-syslog, refer the vSphere Command-Line Interface Installation
and Reference Guide.
To configure syslog using vSphere Client:
1.
2.
3.
4.

In the vSphere Client inventory, click on the host.

Click the Configuration tab.
Click Advanced Settings under Software.
Select Syslog in the tree control.

5. In the Syslog.Local.DatastorePath text box, enter the datastore path to the file
where syslog will log messages. If no path is specified, the default path is
/var/log/messages.

The datastore path format is [<datastorename>] </path/to/file> where the path is relative to
the root of the volume backing the datastore.
Example: The datastore path [storage1] var/log/messages maps to the path /
vmfs/volumes/storage1/var/log/messages.
6. In the Syslog.Remote.Hostname text box, enter the name of the remote host
where syslog data will be forwarded. If no value is specified, no data is forwarded.
7. In the Syslog.Remote.Port text box, enter the port on the remote host where
syslog data will be forwarded. By default Syslog.Remote.Port is set to 514, the
default UDP port used by syslog. Changes to Syslog.Remote.Port only take effect
if Syslog.Remote.Hostname is configured.
8. Click OK.

Troubleshooting Operation with SureLog

The following is a list of things to check if the SureLog does not operate
correctly:

1. Check the syslog server settings on the X-family device are configured to point to the IP
address of the SureLog Server.
2. Check that the SureLog Server is listening on the same port (usually UDP 514) as the X-family
syslog client is sending on.
3. Check that any firewall device between the X-family and the SureLog Server has a rule
permitting traffic for UDP port 514.
4. Check that there is no syslog daemon running on the same PC as the SureLog Server or it
will take over port 514 which will stop the syslog data from going to the SureLog Server.
5. Traffic through the X-family device will only be counted if it is subject to a Firewall Rule and
syslog logging is enabled for that rule. For example traffic will not be counted if:
- it is passing between hosts in the same security zone
- it is passing over a VPN or GRE tunnel to a host which is in the same zone as is used to
terminate the VPN or GRE tunnel.
6. Events will not be generated for hidden firewall rules. At the time of writing, there are two
implicit hidden firewall rules that are not displayed but act as if they were the last two
rules in the Firewall Rule table. These are:
Permit from this-device to ANY zone ANY protocol
Block from ANY zone to ANY zone ANY protocol
These rules do not generate log entries or syslog messages.
To enable the SureLog to monitor events that would be generated by these rules, two explicit
rules must be created as the last two rules in the Firewall Rule table and syslog logging must
be enabled on both of them.

Configuring Audit Policies

Planning is an important step in the auditing process. Administrators should be selective in
determining the objects to audit. Auditing creates system overhead, therefore auditing too
many objects will cause the security log to become large and difficult to manage.
Before audit records are logged, an auditing policy must be established. The policy defines
the types of events that will be audited for a specific user or group of users. However,
enabling the auditing policy is only part of the work associated with setting up auditing.
Auditing implementation has several steps:
1.
2.
3.
4.
5.

Enable auditing on the domain controller.

Select objects to audit, and set the system access control lists (SACL) for the objects.
Configure the event log.
Protect the audit data from unauthorized access or modification.
Review and maintain the audit logs.

This subsection deals only with steps one and two; all other aspects of audit management are
addressed in the Audit Management subsection of this document.
An auditing policy specifies categories of security-related events that must be audited. When
Windows 2000 is first installed, all auditing categories are turned off. By turning on various
auditing event categories, the administrator can implement an auditing policy that suits the
security needs of the organization.
Auditing can be enabled on the Domain Controller as follows:
1.
2.
3.
4.
5.

Log on using an administrator account.

Open the Active Directory Users and Computers tool.
Right-click the container holding the domain controller and click Properties.
Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.
In the Group Policy window, expand Computer Configuration, navigate to
Windows Settings, to Security Settings, and then to Local Policies.
6. Select Audit Policy.

7. As an example, double-click Audit Directory Service Access policy and choose to

enable or disable successful or failed access attempts.

8. Click OK. It will take a few minutes for the change to take effect, and other domain
controllers will receive the change at the next regular replication interval.
Enabling Object Auditing
If audit access to objects is chosen as part of the audit policy, either the audit directory service
access category (for auditing objects on a domain controller), or the audit object access
category (for auditing objects on a member server) must be also turned on. Once the correct
object access category has been turned on, each individual object's Properties can be used to
specify whether to audit successes or failures for the specific access request to each group or
user.
Enabling Auditing on Directory Objects
The administrator can set an auditing SACL for a directory object using the following
procedure:
Warning: The SeSecurityPrivilege allows a user to set SACLs on objects. Administrators
must ensure that this privilege is not assigned to non-administrative users.
1. Log on using an administrator account.
2. Open the Active Directory Users and Computers tool.

3. On the View menu, select Advanced Features.

4.
5.
6.
7.
8.

Locate the container for the object, right-click it, and then click Properties.
Click the Security tab.
Click Advanced, and click the Auditing tab.
Click the Add button.
Select a security principle name and click OK.

9. A dialog box will appear with two tabsObject and Properties.

10. The Object tab allows the selection of generic and control rights to audit.
11. The Properties tab allows selection of property accesses to audit.
12. Use the pull-down lists to make selections.
13. Click each tab that needs to be modified, and select the check boxes for the accesses or
properties to be audited.
14. Check the Apply . . . box and then click OK.

15. In the Access Control Settings window, choose whether the choices will be inherited
from the parent container to this object. If yes, then select the Allow inheritable
auditing entries from parent to propagate to this object check box.

16. Click Apply, and then click OK.

17. In the Properties window, decide whether auditing permissions must be inherited
from the parent container to propagate this object. If yes, then check the appropriate
box.

18. Click Apply and then click OK.

Enabling and editing Audit on Files and Folders

To set, view, change, or remove auditing for a file or folder:

1. Open Windows Explorer, and then locate the file or folder to audit.
2. Right-click the file or folder, select Properties, and then click the Security tab.

3. Click Advanced, and then click the Auditing tab.

4. To set up auditing for a new group or user, click Add.
5. In Name, type the user name, or select a user from the list and then click OK to
automatically open the Auditing Entry dialog box.

6. In the Auditing Entry dialog box, under Access click Successful, Failed, or both to
select the events to be audited for this user and then check the Apply these auditing
entries to objects and/or containers within this container selection box if it is
necessary to propagate the changes to sub-containers. Click OK to close the Auditing
Entry dialog box.

7. To view or change auditing for an existing group or user, simply click on the name,
and then click View/Edit.
8. To remove auditing for an existing group or user, click the name, and then click
Remove.
Note:
If necessary, in the Auditing Entry dialog box, select where auditing is to take place in the
Apply onto list. The Apply onto list is available only for folders.

Before Windows 2000 will audit access to files and folders, the Audit Object Access
setting in the Audit Policy must be enabled. If not, an error message will appear when
auditing is set up for files and folders, and no files or folders will be audited. Once
auditing is enabled, view the security log in Event Viewer to review successful or failed
attempts to access the audited files and folders.
Reference http://technet.microsoft.com/en-us/library/dd277403.aspx

WMI Errors

Error Code

Cause

Solution

0x80070005 Scanning of the Windows workstation failed due to one of the following
reasons:
The login name and password
Check if the login name and password are
provided for scanning is invalid
entered correctly
in the workstation
Remote DCOM option is
disabled in the remote
workstation

Check if Remote DCOM is enabled in the

remote workstation. If not enabled, then
enable the same in the following way:

1. Select Start > Run

2. Type dcomcnfg in the text box and
click OK
3. Select the Default Properties tab
4. Select the Enable Distributed COM in
this machine checkbox
5. Click OK

To enable DCOM on Windows XP hosts:

1. Select Start > Run
2. Type dcomcnfg in the text box and
click OK
3. Click on Component Services >
Computers > My Computer
4. Right-click and select Properties
5. Select the Default Properties tab
6. Select the Enable Distributed COM in
this machine checkbox
7. Click OK
User account is invalid in the
target machine

Check if the user account is valid in the

target machine by opening a command
prompt and executing the following
commands:
net use \\<RemoteComputerName>\C$
/u:<DomainName\UserName>
"<password>"
net use
\\<RemoteComputerName>\ADMIN$
/u:<DomainName\UserName>
"<password>"

If these commands show any errors, the

provided user account is not valid on the
target machine.
0x80041003 The user name provided for
scanning does not have
sufficient access privileges to
perform the scanning
operation. Probably, this user
does not belong to the
Administrator group for this
host machine

Move the user to the Administrator Group of

the workstation or scan the machine using an
administrator (preferably a Domain
Administrator) account.

0x800706ba A firewall is configured on the

remote computer. Such
exceptions mostly occur in
Windows XP (SP 2), when the

1. Disable the default Firewall in the

Windows XP machine:
1. Select Start > Run
2. Type Firewall.cpl and
click OK

default Windows firewall is

enabled.

3. In the General tab, click Off

4. Click OK
2. If the firewall cannot be disabled,
launch Remote Administration for
administrators on the remote
machine by executing the following
command:
netsh firewall set service
RemoteAdmin

After scanning, you can disable

Remote Administration using the
following command:
netsh firewall set service
RemoteAdmin disable

0x80040154

1. WMI is not available in

the remote windows
workstation. This
happens in Windows
NT. Such error codes
might also occur in
higher versions of
Windows if the WMI
Components are not
registered properly.
2. WMI Components are
not registered

1. Install WMI core in the remote

workstation. This can be downloaded
from the Microsoft web site.
2. Register the WMI DLL files by
executing the following command in
the command prompt:
winmgmt /RegServer

0x80080005 There is some internal

Restart the WMI Service in the remote
workstation:
execution failure in the WMI
Service (winmgmt.exe) running
1. Select Start > Run
in the host machine. The last
2. Type Services.msc and click OK
update of the WMI Repository
3. In the Services window that opens,
in that workstation could have
select Windows Management
failed.
Instrumentation service.
4. Right-click and select Restart
For any other error codes, refer the MSDN knowledge base

Adding Cisco Devices

The following configuration needs to be done in Cisco Devices (Switches and Routers),
before adding them in SureLog, for them to send syslogs to SureLog and generate reports.

Configuring the Syslog on Cisco Switches

1. Login to the switch.
2. Go to the config mode.
3. Do the below configuration to configure the switch (here, we have used Catalyst 2900) to
send the logs to the SureLog server:
<Catalyst2900># config terminal
<Catalyst2900>(config)# logging <SureLog IP>

For the latest catalyst switches

Catalyst6500(config)# set logging <SureLog IP>

We can also configure other options like logging facility , trap notifications, etc. .. as
Catalyst6500(config)# logging facility local7
Catalyst6500(config)# logging trap notifications

Configuring the Syslog Service on a UNIX Host

1. Login as root user and edit the syslog.conf file in the /etc directory.
2. Append *.*<space/tab>@<server_name> at the end, where <server_name> is the
name of the machine on which SureLog is running.
3. Save the configuration and exit the editor.
4. Edit the services file in the /etc directory.
5. Change the syslog service port number to 514, which is one of the default listener ports of
SureLog. But if you choose a different port other than 514 then remember to enter that same
port when adding the host in SureLog.
6. Save the file and exit the editor.
7. Restart the syslog service on the host using the command:
/etc/rc.d/init.d/syslog restart

For configuring syslog-ng daemon in a Linux host, append the following

entries

destination bonasusplus { udp("<server_name>" port(514)); };

log { source(src); destination(bonasusplus); };

at the end of /etc/syslog-ng/syslog-ng.conf, where <server_name> is the ip

address of the machine on which SureLog is running.
Configuring the Syslog Service on a HP-UX/Solaris/AIX Host
1. Login as root user.
2. Edit the syslog.conf file in the /etc directory as shown below.
*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;*.debug <tab-

separation>@<server_name>;

For Solaris host, it is just enough to include *.debug<tabseparation>@<server_name> in the syslog.conf file.
3.

4.
5.
6.

7.

where, <server_name> is the name of the machine where SureLog server or Service is
running. Just ensure that only a tab separation alone is there in between *.debug and
@<server_name>.
Save the configuration and exit the editor.
Edit the services file in the /etc directory.
Change the syslog service port number to 514, which is one of the default listener ports of
SureLog. But if you choose a different port other than 514 then remember to enter that same
port when adding the host in SureLog.
Start the syslog daemon running on the OS. You need to just execute the below command.
Usage : /sbin/init.d/syslogd {start|stop}

Command to be executed :
(for HP-UX) /sbin/init.d/syslogd start
(for Solaris) /etc/init.d/syslog start
(for IBM AIX) startsrc -s syslogd
Configuring the Syslog Service on VMware
All ESX and ESXi hosts run a syslog service (syslogd) which logs messages from the
VMkernel and other system components to a file.

To configure syslog for an ESX host:

Neither vSphere Client nor vicfg-syslog can be used to configure syslog behavior for an ESX
host. To configure syslog for an ESX host, you must edit the /etc/syslog.conf file.

To configure syslog for an ESXi host:

On ESXi hosts, you can use the vSphere Client or the vSphere CLI command vicfg-syslog to
configure the following options:
o

Log file path: Specifies a datastore path to the file syslogd logs all messages.

Remote host: Specifies a remote host to which syslog messages are forwarded. In
order to receive the forwarded syslog messages, your remote host must have a
syslog service installed.
Remote port: Specifies the port used by the remote host to receive syslog messages.

To configure syslog using vSphere CLI command :

For more information on vicfg-syslog, refer the vSphere Command-Line Interface Installation
and Reference Guide.
To configure syslog using vSphere Client:
1.
2.
3.
4.
5.

In the vSphere Client inventory, click on the host.

Click the Configuration tab.
Click Advanced Settings under Software.
Select Syslog in the tree control.
In the Syslog.Local.DatastorePath text box, enter the datastore path to the file where syslog
will log messages. If no path is specified, the default path is /var/log/messages.

The datastore path format is [<datastorename>] </path/to/file> where the path is relative to
the root of the volume backing the datastore.
Example: The datastore path [storage1] var/log/messages maps to the path /
vmfs/volumes/storage1/var/log/messages.
6. In the Syslog.Remote.Hostname text box, enter the name of the remote host where syslog
data will be forwarded. If no value is specified, no data is forwarded.
7. In the Syslog.Remote.Port text box, enter the port on the remote host where syslog data will
be forwarded. By default Syslog.Remote.Port is set to 514, the default UDP port used by
syslog. Changes to Syslog.Remote.Port only take effect if Syslog.Remote.Hostname is
configured.
8. Click OK.

Importing Windows Event Logs

In order to collect most of the necessary windows events. Audit logs must be enabled.
Configuring Audit Policies

Planning is an important step in the auditing process. Administrators should be selective in

determining the objects to audit. Auditing creates system overhead, therefore auditing too
many objects will cause the security log to become large and difficult to manage.
Before audit records are logged, an auditing policy must be established. The policy defines
the types of events that will be audited for a specific user or group of users. However,

enabling the auditing policy is only part of the work associated with setting up auditing.
Auditing implementation has several steps:
1.
2.
3.
4.
5.

Enable auditing on the domain controller.

Select objects to audit, and set the system access control lists (SACL) for the objects.
Configure the event log.
Protect the audit data from unauthorized access or modification.
Review and maintain the audit logs.

This subsection deals only with steps one and two; all other aspects of audit management are
addressed in the Audit Management subsection of this document.
An auditing policy specifies categories of security-related events that must be audited. When
Windows 2000 is first installed, all auditing categories are turned off. By turning on various
auditing event categories, the administrator can implement an auditing policy that suits the
security needs of the organization.
Auditing can be enabled on the Domain Controller as follows:
1.
2.
3.
4.
5.

Log on using an administrator account.

Open the Active Directory Users and Computers tool.
Right-click the container holding the domain controller and click Properties.
Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.
In the Group Policy window, expand Computer Configuration, navigate to
Windows Settings, to Security Settings, and then to Local Policies.
6. Select Audit Policy.

7. As an example, double-click Audit Directory Service Access policy and choose to

enable or disable successful or failed access attempts.

8. Click OK. It will take a few minutes for the change to take effect, and other domain
controllers will receive the change at the next regular replication interval.
Enabling Object Auditing
If audit access to objects is chosen as part of the audit policy, either the audit directory service
access category (for auditing objects on a domain controller), or the audit object access
category (for auditing objects on a member server) must be also turned on. Once the correct
object access category has been turned on, each individual object's Properties can be used to
specify whether to audit successes or failures for the specific access request to each group or
user.
Enabling Auditing on Directory Objects
The administrator can set an auditing SACL for a directory object using the following
procedure:
Warning: The SeSecurityPrivilege allows a user to set SACLs on objects. Administrators
must ensure that this privilege is not assigned to non-administrative users.
1. Log on using an administrator account.
2. Open the Active Directory Users and Computers tool.
3. On the View menu, select Advanced Features.

4. Locate the container for the object, right-click it, and then click Properties.
5. Click the Security tab.

6. Click Advanced, and click the Auditing tab.

7. Click the Add button.
8. Select a security principle name and click OK.

9. A dialog box will appear with two tabsObject and Properties.

10. The Object tab allows the selection of generic and control rights to audit.
11. The Properties tab allows selection of property accesses to audit.
12. Use the pull-down lists to make selections.
13. Click each tab that needs to be modified, and select the check boxes for the accesses or
properties to be audited.
14. Check the Apply . . . box and then click OK.

15. In the Access Control Settings window, choose whether the choices will be inherited
from the parent container to this object. If yes, then select the Allow inheritable
auditing entries from parent to propagate to this object check box.

16. Click Apply, and then click OK.

17. In the Properties window, decide whether auditing permissions must be inherited
from the parent container to propagate this object. If yes, then check the appropriate
box.

18. Click Apply and then click OK.

Enabling and editing Audit on Files and Folders

To set, view, change, or remove auditing for a file or folder:

1. Open Windows Explorer, and then locate the file or folder to audit.
2. Right-click the file or folder, select Properties, and then click the Security tab.

3. Click Advanced, and then click the Auditing tab.

4. To set up auditing for a new group or user, click Add.
5. In Name, type the user name, or select a user from the list and then click OK to
automatically open the Auditing Entry dialog box.

6. In the Auditing Entry dialog box, under Access click Successful, Failed, or both to
select the events to be audited for this user and then check the Apply these auditing
entries to objects and/or containers within this container selection box if it is
necessary to propagate the changes to sub-containers. Click OK to close the Auditing
Entry dialog box.

7. To view or change auditing for an existing group or user, simply click on the name,
and then click View/Edit.
8. To remove auditing for an existing group or user, click the name, and then click
Remove.
Note:
If necessary, in the Auditing Entry dialog box, select where auditing is to take place in the
Apply onto list. The Apply onto list is available only for folders.

Before Windows 2000 will audit access to files and folders, the Audit Object Access
setting in the Audit Policy must be enabled. If not, an error message will appear when
auditing is set up for files and folders, and no files or folders will be audited. Once
auditing is enabled, view the security log in Event Viewer to review successful or failed
attempts to access the audited files and folders.

The Import Windows Event Logs link lets you import a Windows event log file from the
local machine or remotely. In order to import Windows Event Logs, AD settings must be
done before.
After configuring AD, SureLog will start discovery and when discovery finished discovered
computers will be listed.

SureLog monitors Only Selected Computers or All Computers.

Only Selected Computers: Collect logs from selected computers

All Computers: Collect logs from all computers

All Logs: Collect all windows events
Pre-Configured Logs: Collect only report ready windows events