syslog destination

[udi-mosh]

Hi,

to which network port should i send the syslogs ?
to the mangement port ?
another network port that i need to configure and assign ip address ?

[kwwv]

@udi-mosh Have you reviewed the syslog documentation? The port to send to can depend on the syslog sender. If there is an existing filebeat, use that as the parsing is typically better. However, if there isn't a filebeat module you can send to tcp/udp 514 but will still need to follow the directions for so-allow

[udi-mosh]

@kwwv , forgive me for using the wrong term. what i meant to by "network port" is network card.
i have done my reading prior to this post and couldn't understand what to do.
i have 2 servers. 1 running manager\search and 1 running forward. forward has 6 net ports for hardware tap sniffing.
what i couldn't understad is should i send them to the manager management interface or should i send it to the forwarder management interface or should i configure a new ip enabled interface on a free network card on the forward.

[udi-mosh]

sorry but the documentation is a little bit confusing.
if i want to parse fortinet i need to configure the management node to accept syslog 9004 udp, correct ?
should i need to configure filebeat module on the managers global.sls or minion's sls ?
so-allow, how do i use it to configure the firewall ?
should i use s-firewall instead ?
would appreciate a walkthrough

[kwwv]

I am not a maintainer, so I can only speak to my experience on this.

if i want to parse fortinet i need to configure the management node to accept syslog 9004 udp, correct ?

Yes. See the link below

should i need to configure filebeat module on the managers global.sls or minion's sls ?

I have one manager and three minions. I needed to configure it on the manager and all three minions sls then run the salt highstate command. I am not sure if this is best practice, I just know it works for me.

so-allow, how do i use it to configure the firewall ?

This is what I used. You will also need to add a portgroup and hostgroup

would appreciate a walkthrough

infosecgoon's info in here is solid #9705

[udi-mosh]

thank you very much. will check it.
just to see that i understand...
i do the filebeat configuration on the manager's node and the firewall configuration on the sensor ((forward) node, correct ?

[udi-mosh]

@kwwv , thank you very much again. read the whole manual again and followed your link and everything is starting to clear up

[kwwv]

@udi-mosh great!