Are there some best practices how to implement central loggin with multiple firewalls using new syslog-ng?
I plan to setup a graylog instance for all loggs to be collected.
Are the loggs tagged with the hostnames of the machines so I can point multiple firewalls to one log-server and still be able to review them by hostname?- If I have a HA-Cluster how are the loggs processed from both machines? Do they need to be configured by machine or is thet loggin switched as the secondary becommes active?
Regards,
Dominik
syslog already includes the source host(name) in each log message, just read RFC3164 and RFC5424.
The is a Logstash plugin for parsing the firewall logs by Fabian: https://github.com/fabianfrz/logstash-filter-opnsensefilter
Well o.k I do have the hostname in source but thats not the FQDN only the hostname.
I combine it in my filters with the IP so I can identify the logs for now for each host.
Since I have multible firewalls named fw1 for example only the FQDN would differ.
For now it works to seperate the logs. Will check how the HA-Cluster the next days.
Thanks for the references to the RFCS.
Regards,
Dominik
The 19.7.3 release notes mention that the fqdn is now sent.
Naming firewalls differently would still by my preferred option.
Thank you for the hint. Saw it already but had no time to start updating on of the firewalls to verify it is what I need. :)